search

Scanning [Initial-Access]

We came to know that website using WordPress in background. Let's try to find out the plugin involved in that.

wpscan --url http://$nukem --api-token <You_Token>

I found one plugin having RCE.

I will run this.

LogoGitHub - RandomRobbieBF/simple-file-list-rce: Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCEGitHubchevron-right

I have copied the exploit and also gathered php backdoor file which will be needed while running the exploit.

Now, I have downloaded the image file and then saved it in the image.jpg file name.

Running exploit.

Doesn't work at one go.

At first, it didn't work just it said that the plugin version was vulnerable.

hashtag
Other exploit.

LogoWordPress Plugin Simple File List 4.2.2 - Arbitrary File UploadExploit Databasechevron-right

Change IP and port at line number 36.

Didn't work.

hashtag
Other exploit {Worked }

This exploit was suggested with the wpscan result.

Saving the file content in Simple_File_list_exploit.py

Now runing the file.

It requires URL.

After reviewing the payload content, it is clear that we need to pass POST data with the password to execute commands. For example:

Working !!!

Let's Get the reverse shell from this.

Unable to get the reverse shell as both the system is not connected with each other.

I changed the payload to a reverse shell.

circle-exclamation

Add Payload to cheat sheet

Start a listener at port 80 and run the command.

Run the payload again.

Got the shell.

PrevioushttpNextPrivilege escalation

Last updated