# WP File Manager CVE-2020-25213 Exploit ## Vulnerability Details - **CVE:** CVE-2020-25213 - **Severity:** CRITICAL (CVSS 9.8) - **Affected:** WP File Manager plugin version 6.0 - **Impact:** Unauthenticated Remote Code Execution (RCE) ## What It Does This exploit automates the full attack chain: 1. **Checks vulnerability** - Tests if WP File Manager 6.0 is installed 2. **Uploads web shell** - Uses elFinder connector to upload PHP shell 3. **Gains RCE** - Executes commands on the server 4. **Reads wp-config.php** - Extracts database credentials 5. **Creates admin user** - Inserts WordPress administrator with full privileges 6. **Verifies access** - Confirms admin user creation ## Usage ```bash python3 exploit_wp_file_manager.py ``` ### Examples ```bash # Basic target python3 exploit_wp_file_manager.py http://example.com # WordPress in subdirectory python3 exploit_wp_file_manager.py http://example.com/wordpress # HTTPS python3 exploit_wp_file_manager.py https://example.com ``` ## Requirements ```bash pip3 install requests ``` Or install with: ```bash pip3 install -r requirements.txt ``` ## Output If successful, you'll get: ### RCE Shell Access ``` 🕷️ RCE Shell: http://example.com/wp-content/plugins/wp-file-manager/lib/files/spidy_XXXX.php?c= ``` ### WordPress Admin Credentials ``` 🔑 WordPress Admin Credentials: URL: http://example.com/wp-login.php Username: spidy_admin Password: Spidy@Hack123 ``` ### Database Credentials ``` Database: Name: wordpress_test User: wordpress Pass: testing123 ``` ## Testing on Local Server ```bash # Test on the local vulnerable WordPress python3 exploit_wp_file_manager.py http://147.93.85.111/vulnerable # Or on the main WordPress installation python3 exploit_wp_file_manager.py http://147.93.85.111 ``` ## Customizing Admin Credentials Edit the `exploit()` method in the script and modify: ```python username, password = self.create_admin_user( db_creds, username='your_admin', password='YourPassword123', email='admin@yourdomain.com' ) ``` ## How the Exploit Works ### Step 1: Vulnerability Check - Checks for `/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php` - If found, WP File Manager 6.0 is likely installed ### Step 2: Shell Upload - Uses elFinder's `upload` command via `connector.minimal.php` - Uploads PHP webshell to the file manager's `files/` directory - Tests multiple possible paths to find the uploaded shell ### Step 3: RCE Demonstration - Executes system commands via the shell - Shows: user, groups, directory, system info ### Step 4: Database Credentials - Reads `wp-config.php` from common locations - Extracts: DB_NAME, DB_USER, DB_PASSWORD, DB_HOST ### Step 5: Admin User Creation - Generates MD5 hash for WordPress password - Inserts user into `wp_users` table - Adds administrator capabilities via `wp_usermeta` - Sets user level to 10 (maximum) ### Step 6: Verification - Queries database to confirm admin user exists - Checks that administrator capabilities are set ## Defending Against This Exploit 1. **Update WP File Manager** - Upgrade to version 6.1.5 or later 2. **Uninstall plugin** - Remove if not needed 3. **Disable file uploads** - Restrict upload functionality 4. **Use WAF** - Web Application Firewall to block exploit attempts 5. **File integrity monitoring** - Detect uploaded shells 6. **Strong passwords** - Use complex database credentials ## Legal Disclaimer This exploit is for **educational and authorized testing purposes only**. - Only use on systems you own or have explicit permission to test - Unauthorized access to computer systems is illegal - The author is not responsible for misuse of this tool ## Detection Signs Watch for these indicators of exploitation: ### Network - POST requests to `/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php` - Upload commands with PHP files - Unusual database queries via MySQL command line ### File System - PHP files in `/wp-content/plugins/wp-file-manager/lib/files/` - Files with names like `spidy_*.php` - New admin users in WordPress database ### Database - Users with `wp_capabilities` containing `administrator` - Recent insertions into `wp_users` and `wp_usermeta` ## Credits - **Vulnerability discovered:** CVE-2020-25213 - **Exploit author:** Spidy - **WP File Manager version:** 6.0 ## References - CVE-2020-25213: https://nvd.nist.gov/vuln/detail/CVE-2020-25213 - WP File Manager: https://wordpress.org/plugins/wp-file-manager/ --- **Remember:** Only use this exploit responsibly and legally! 🕷️