A python script that exploits the vulnerability in the duplicate post wordpress plugin. This vulnerability was reported on March 22, 2019 by the Sucuri team, and patched in duplicate post version 3.4.
The arguments to the script are listed below. Please use responsibly!
'--url', The base URL to the wordpress installation. Make sure to end with slash (ex. http://example.com/).
'--username', Wordpress username.
'--password', Wordpress password
'--query', The SQL statement to be executed.
'--delay N', Delay the attack queries for N seconds. Defaults to 2 seconds. Increase this for slower internet connections.
'--clean', Each query makes a new duplicate post. That's alot of posts. Option 1 will delete them as they are created (slow) and option 2 will delete them after the exploit.
'--output N', Print leaked data every time "N" new characters are leaked.
This script was created for a challenge in the BCACTF event.