crawler based on weak security of wpforms
This commit is contained in:
parent
9c61ba5ec0
commit
47db7bc5df
|
@ -0,0 +1 @@
|
|||
**/data
|
|
@ -0,0 +1,2 @@
|
|||
config.sh
|
||||
data*
|
|
@ -0,0 +1,3 @@
|
|||
[wpforms](https://wpforms.com/) uses an counter for `ENTRY_ID`s and seems to be vulnerable against CSRF :(
|
||||
|
||||
Once we have obtained a cookie, crawling is trivial…
|
|
@ -0,0 +1,27 @@
|
|||
## common
|
||||
|
||||
DATA_DIR="./data"
|
||||
|
||||
## download
|
||||
|
||||
START=500 #57
|
||||
END=500 #1000
|
||||
|
||||
WP_ADMIN_URL='https://example.com/wp-admin/admin.php'
|
||||
FORM_ID=16993
|
||||
NONCE='caffeeeeee'
|
||||
AUTHORIZATION_HEADER='authorization: Basic Base64EncodedDataaaaaaaaaa=='
|
||||
COOKIE_HEADER='cookie: wordpress_sec_thisCopiedFromTheBrower; wordpress_logged_in_; some_other_cookies'
|
||||
|
||||
## HEADERS_THAT_SEEM_TO_BE_NOT_REQUIRED
|
||||
#-H 'authority: example.com' \
|
||||
#-H 'upgrade-insecure-requests: 1' \
|
||||
#-H 'cache-control: max-age=0' \
|
||||
|
||||
## merge
|
||||
|
||||
OUT="/tmp/example.csv"
|
||||
|
||||
## setup
|
||||
|
||||
[ -d $DATA_DIR ] || mkdir $DATA_DIR
|
|
@ -0,0 +1,18 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
source ./config.sh
|
||||
|
||||
function download() {
|
||||
ENTRY=$1
|
||||
OUT="${DATA_DIR}/${ENTRY}.csv"
|
||||
echo $ENTRY
|
||||
curl "${WP_ADMIN_URL}?page=wpforms-tools&view=export&action=wpforms_tools_single_entry_export_download&form=${FORM_ID}&entry_id=${ENTRY}&export_options%5B0%5D=csv&nonce=${NONCE}" \
|
||||
-H "$COOKIE_HEADER" \
|
||||
-H "$AUTHORIZATION_HEADER" \
|
||||
--compressed | tee $OUT
|
||||
}
|
||||
|
||||
|
||||
for i in $(seq $START $END); do
|
||||
download $i || exit
|
||||
done
|
|
@ -0,0 +1,8 @@
|
|||
## quick and dirty! TODO: replace grep -v
|
||||
|
||||
source ./config.sh
|
||||
|
||||
(cd $DATA_DIR; head -n1 $(ls | head -n1)) > $OUT
|
||||
cat $DATA_DIR/* | grep -v 'Name,Land,Straße,Hausnummer' >> $OUT
|
||||
|
||||
wc -l $OUT
|
Loading…
Reference in New Issue