POC详情: e97f8dfb6a97b7520d02dea76ac31a00b38319cc

来源
https://github.com/mansoorr123/wp-file-manager-CVE-2020-25213
关联漏洞
标题: wordpress 代码问题漏洞 (CVE-2020-25213)
描述:WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。ghost是使用在其中的一个用于导入/导出WordPress数据的插件。relevant是使用在其中的一个相关内容显示插件。File Upload是使用在其中的一个文件上传插件。PHP是共同维护的一种开源的通用计算机脚本语言。该语言主要用于Web开发,支持多种数据库及操作系统。elFinder是一套基于Drupal平台的、开源的AJAX文件管理器。该产品提供多文件上传、图像缩放等功能。 Word
描述
https://medium.com/@mansoorr/exploiting-cve-2020-25213-wp-file-manager-wordpress-plugin-6-9-3f79241f0cd8
介绍
# WP-file-manager expoit [CVE-2020-25213](https://nvd.nist.gov/vuln/detail/CVE-2020-25213)
WP-file-manager wordpress plugin (<6.9) vulnerable to unauthenticated arbitary file upload resulting in full compromise of the system.

For More more details refer to my writeup published [here](https://medium.com/@mansoorr/exploiting-cve-2020-25213-wp-file-manager-wordpress-plugin-6-9-3f79241f0cd8)

## Disclaimer
I haven't discovered this vulnerability & neither taking any credits of this CVE. I have only created the exploit after analyzing the description available on various blogs like [wordfence](https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/), [seravo](https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/) with the motto to let the readers understand how to create POC by just analyzing the description of the vulnerability.  
I am not responsible for any damage caused to an organization using this exploit & I would advice the readers not to exploit this vulnerability without written consent from the organization as it may expose the organization open to attacks by other hackers.

## Installation
`git clone https://github.com/mansoorr123/wp-file-manager-CVE-2020-25213.git`  
`chmod +x wp-file-manager-CVE-2020-25213/wp-file-manager-exploit.sh`

## Swtitches
```
-u|--wp_url				Wordpress target url  
-f|--upload_file			Absolute location of local file to upload on the target.  
-k|--check				Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.  
-v|--verbose				Also prints curl command which is going to be executed  
-h|--help				Print Help menu  
```

## Usage  
./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check  
./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
 
## Snaps

![Screenshot 1](.snaps/wp-file-manager_snap_1.png)
![Screenshot 2](.snaps/wp-file-manager_snap_2.png)
![Screenshot 3](.snaps/wp-file-manager_snap_3.png)

## Credits
1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
文件快照

 [4.0K]  /data/pocs/e97f8dfb6a97b7520d02dea76ac31a00b38319cc
├── [2.2K]  README.md
└── [7.1K]  wp-file-manager-exploit.sh

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。