WordPress 4.2.0-4.5.1 flashmediaelement.swf 反射型 XSS 漏洞

                                                #!/usr/bin/env python
# coding: utf-8

import urlparse
import hashlib

from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase


class TestPOC(POCBase):
    vulID = '91515'  # ssvid
    version = '1.0'
    author = ['Fooying']
    vulDate = ''
    createDate = '2016-05-10'
    updateDate = '2016-05-10'
    references = ['http://www.seebug.org/vuldb/ssvid-91515']
    name = 'WordPress 4.2.0-4.5.1 反射型 XSS 漏洞 '
    appPowerLink = 'https://wordpress.org/'
    appName = 'WordPress'
    appVersion = '(4.2.0<=version<=4.5.1'
    vulType = 'XSS'
    desc = '''
      WordPress 于 2016 年 5 月 6 号发布新版本 4.5.2,其中修了一 个反射型 XSS 漏洞,直接影响 4.2.0 至 4.5.1 版本。该反射型 XSS 源 于 WordPress 一个处理媒体的插件 MediaElement,攻击者能够构 造恶意 Payload,使之解析媒体文件时触发 XSS.
    '''
    samples = ['']
    install_requires = ['']


    def get_md5(self, file_content):
      md5obj = hashlib.md5()
      md5obj.update(file_content)
      hash = md5obj.hexdigest()
      return hash

    def _attack(self):
        result = {}
        self._verify()

        return self.parse_output(result)

    def _verify(self):
        result = {}
        url = urlparse.urljoin(self.url, '/wp-includes/js/mediaelement/flashmediaelement.swf')
        res = req.get(url)
        md5_num = self.get_md5(res.content)
        print md5_num

        match_md5 = (
            "079d5276459e0e3526afbdb7e1017037",
            "2400c991b8473d44a7edc75605496760",
            "42c6680f8035fc10855ee2e559c9cc78",
            "a77bd46c3904a70f0e4ed6f3f714099a",
            "bed216acd6fb5318c139087a0a9d6b4d",
            "e61c004611ce5cc855a3b2ab3e89602d",
        )
        if res.status_code == 200 and md5_num in match_md5:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = url
        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)