Arbitrary File Upload in WordPress File Manager Plugin (wp-file-manager) < 6.9

This repository is a mixed offensive lab/project bundle rather than a single cohesive exploit. It contains three major components: (1) a Python proof-of-concept exploit for CVE-2020-25213 against the WordPress wp-file-manager plugin, (2) Zerologon exploitation scripts for CVE-2020-1472 targeting Windows domain controllers, and (3) a full copy of the Chisel tunneling utility used as supporting infrastructure for pivoting/tunneling. The most direct exploit code is Python-exploit-CVE-2020-25213/exploit.py. That script takes a base URL and a command, posts a handcrafted multipart/form-data request to /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php, uploads a PHP file named shell<random>.php containing shell_exec($_REQUEST['cmd']), and then triggers it via /wp-content/plugins/wp-file-manager/lib/files/shell<random>.php?cmd=<command>. This is a real unauthenticated arbitrary file upload leading to RCE against wp-file-manager 6.0-6.9. It is operational but simple: payload is hardcoded, no cleanup, no target validation, and minimal error handling. The zerologon/ directory contains two Python scripts derived from public Zerologon research. set_empty_pw.py repeatedly attempts Netlogon authentication with all-zero challenge/credential values over MSRPC (ncacn_ip_tcp) until successful, then issues NetrServerPasswordSet2 to set the target DC machine account password to an empty string. reinstall_original_pw.py performs a similar authentication bypass and uses a custom NetrServerPasswordSet RPC structure to restore a supplied original NT hash. These are exploitation scripts, not scanners, and enable severe post-exploitation outcomes when used against an unpatched domain controller. The chisel/ directory is not exploit code for a CVE; it is a legitimate Go-based TCP/UDP-over-HTTP tunneling tool with client/server modes, WebSocket transport, SSH-based encryption/authentication, optional SOCKS5, reverse tunneling, TLS/mTLS, and proxy support. In the context of this repository, it appears to be included as an operator utility for pivoting or exposing internal services during the broader attack chain described in the top-level README. Repository structure therefore suggests a coursework/demo attack chain: compromise a vulnerable WordPress client via CVE-2020-25213, use Chisel for tunneling/pivoting, and exploit a vulnerable Windows Server 2019 domain controller via Zerologon. The included code is actionable and offensive, with the WordPress exploit providing immediate command execution and the Zerologon scripts enabling domain-level compromise under the required vulnerable conditions.

This repository contains a Python exploit (exploit.py) targeting CVE-2020-25213, a critical vulnerability in the WordPress File Manager plugin (versions 6.0-6.9). The exploit is unauthenticated and allows remote attackers to upload and execute arbitrary PHP code on the target server. The exploit works by uploading a PHP webshell (shell.php) to the plugin's files directory using a crafted multipart/form-data POST request to the vulnerable elFinder connector endpoint. Once uploaded, the webshell can be accessed to execute arbitrary system commands via the 'cmd' parameter. The repository includes a README.md with usage instructions and context. The main entry point is exploit.py, which is a standalone Python script requiring the target URL and a command to execute. The exploit is operational and was reportedly used in the wild. No detection or fake code is present; the exploit is functional and directly weaponizes the vulnerability.

This repository contains a Python exploit script (exploit.py) targeting CVE-2020-25213, a vulnerability in the WP File Manager plugin for WordPress (versions before 6.9). The exploit allows remote attackers to upload arbitrary files (such as PHP web shells) to the server by abusing an unsafe example connector file that is accessible and executable. The script provides options to check if a target is vulnerable and to upload a file to the vulnerable endpoint. The main code file is exploit.py, which uses the requests library to interact with the target over HTTP. The README.md provides usage instructions and context. The exploit is operational, requiring the attacker to supply a file to upload. The main fingerprintable endpoints are the plugin's readme.txt (for version checking) and the connector.minimal.php file (for exploitation). The repository is structured simply, with a single exploit script, a requirements file, and documentation.

This repository contains a Bash script exploit (wp-file-manager-exploit.sh) targeting CVE-2020-25213, a critical vulnerability in the WordPress wp-file-manager plugin (versions 6.0 to 6.8). The exploit leverages an unauthenticated file upload flaw in the plugin's 'connector.minimal.php' endpoint, allowing attackers to upload arbitrary files (such as PHP web shells) to the server. The script provides options to check for the presence and version of the vulnerable plugin, verify if the endpoint is exploitable, and upload a user-supplied file. The README.md provides detailed usage instructions, references, and background on the vulnerability. The main attack vector is network-based, targeting the '/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php' endpoint on WordPress installations. The exploit is operational, requiring the attacker to supply a payload file, and can result in full remote code execution on vulnerable targets.