WordPress Vulnerability Scanner by N45HT

1. <?php
2. # ShinChan - N45HT - N45HT.WEB.ID
3. # fb.com/angelia.put - fb.com/ShinChan.admin - fb.com/N45HTOfficial - fb.com/groups/N45HTOfficial
4. # shinchan0x1945@gmail.com
5.  
6. # WordPress Vulnerability Scanner - coded by ShinChan | copyright ShinChan@2017#
7.  
8. echo "
9.  ___  _  _  __  _  _  __  _  _   __   _  _     _    _  ____  ___
10. / __)( )( )(  )( \( )/ _)( )( ) (  ) ( \( )   ( \/\/ )(_  _)(  _)
11. \__ \ )__(  )(  )  (( (_  )__(  /__\  )  (  ___\    /   )(   ) _)
12. (___/(_)(_)(__)(_)\_)\__)(_)(_)(_)(_)(_)\_)(___)\/\/   (__) (_)  
13.      WordPress Vulnerability Scanner - coded by ShinChan
14.  
15.     Thanks to :  PETR03X - Comod0x - SCYTHE404_LOL - Grav3
16.                        All Members N45HT
17.  
18.  
19. ";
20. echo "Input your target (ex:victim.com) : ";
21. $target = trim(fgets(STDIN));
22. $totalvuln = "0";
23. $totalnotvuln = "0";
24.  
25. if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){
26.     $targets = "http://$target";
27. }else{
28.     $targets = $target;
29. }
30.  
31. echo "\n[~] Scanning => $targets";
32.  
33. /* Exploit WordPress Plugin Work The Flow File Upload 2.5.2 - ShinChan - N45HT */
34. echo "\n\n[+] Testing Exploit WordPress Plugin Work The Flow File Upload 2.5.2";
35. $urlwtf = "$targets/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php";
36. $curlwtf = curl_init();
37. curl_setopt($curlwtf, CURLOPT_URL, $urlwtf);
38. curl_setopt($curlwtf, CURLOPT_FOLLOWLOCATION, 1);
39. curl_setopt($curlwtf, CURLOPT_RETURNTRANSFER, 1);
40. $response = curl_exec($curlwtf);
41. $httpCode = curl_getinfo($curlwtf, CURLINFO_HTTP_CODE);
42. curl_close($curlwtf);
43. if($httpCode == 200){
44.     echo "\n    > Result : 200 ok";
45.     echo "\n    > Exploit : WordPress Plugin Work The Flow File Upload 2.5.2";
46.     echo "\n    > Tutorial : http://skamason.com/7IBw\n";
47.     $totalvuln = $totalvuln + 1;
48. }else{
49.     echo "\n    > Result : 404";
50.     echo "\n    > Not Vulnerable";
51.     $totalnotvuln = $totalnotvuln + 1;
52. }
53. /* Exploit WordPress Plugin Work The Flow File Upload 2.5.2 - ShinChan - N45HT */
54.  
55. /* Exploit WordPress mTheme-Unus Local File Inclusion - ShinChan - N45HT */
56. echo "\n\n[+] Testing Exploit WordPress mTheme-Unus Local File Inclusion";
57. $urltu = "$targets/wp-content/themes/mTheme-Unus/css/css.php";
58. $curltu = curl_init();
59. curl_setopt($curltu, CURLOPT_URL, $urltu);
60. curl_setopt($curltu, CURLOPT_FOLLOWLOCATION, 1);
61. curl_setopt($curltu, CURLOPT_RETURNTRANSFER, 1);
62. $response = curl_exec($curltu);
63. $httpCode = curl_getinfo($curltu, CURLINFO_HTTP_CODE);
64. curl_close($curltu);
65. if($httpCode == 200){
66.     echo "\n    > Result : 200 ok";
67.     echo "\n    > Exploit : WordPress mTheme-Unus Local File Inclusion";
68.     echo "\n    > Tutorial : http://skamason.com/7IPO\n";
69.     $totalvuln = $totalvuln + 1;
70. }else{
71.     echo "\n    > Result : 404";
72.     echo "\n    > Not Vulnerable";
73.     $totalnotvuln = $totalnotvuln + 1;
74. }
75. /* Exploit WordPress mTheme-Unus Local File Inclusion - ShinChan - N45HT */
76.  
77. /* Exploit WordPress Job-Manager - ShinChan - N45HT */
78. echo "\n\n[+] Testing Exploit WordPress Job-Manager";
79. $urljm = "$targets/jm-ajax/upload_file";
80. $curljm = curl_init();
81. curl_setopt($curljm, CURLOPT_URL, $urljm);
82. curl_setopt($curljm, CURLOPT_FOLLOWLOCATION, 1);
83. curl_setopt($curljm, CURLOPT_RETURNTRANSFER, 1);
84. $response = curl_exec($curljm);
85. $httpCode = curl_getinfo($curljm, CURLINFO_HTTP_CODE);
86. curl_close($curljm);
87. if($httpCode == 200){
88.     echo "\n    > Result : 200 ok";
89.     echo "\n    > Exploit : WordPress Job-Manager";
90.     echo "\n    > Tutorial : http://skamason.com/7IUS\n";
91.     $totalvuln = $totalvuln + 1;
92. }else{
93.     echo "\n    > Result : 404";
94.     echo "\n    > Not Vulnerable";
95.     $totalnotvuln = $totalnotvuln + 1;
96. }
97. /* Exploit WordPress Job-Manager - ShinChan - N45HT */
98.  
99. /* Exploit WordPress Plugin Gallery 3.06 - Arbitrary File Upload - ShinChan - N45HT */
100. echo "\n\n[+] Testing Exploit WordPress Plugin Gallery 3.06 - Arbitrary File Upload";
101. $urlpg = "$targets/wp-content/plugins/gallery-plugin/upload/php.php";
102. $curlpg = curl_init();
103. curl_setopt($curlpg, CURLOPT_URL, $urlpg);
104. curl_setopt($curlpg, CURLOPT_FOLLOWLOCATION, 1);
105. curl_setopt($curlpg, CURLOPT_RETURNTRANSFER, 1);
106. $response = curl_exec($curlpg);
107. $httpCode = curl_getinfo($curlpg, CURLINFO_HTTP_CODE);
108. curl_close($curlpg);
109. if($httpCode == 200){
110.     echo "\n    > Result : 200 ok";
111.     echo "\n    > Exploit : WordPress Plugin Gallery 3.06 - Arbitrary File Upload";
112.     echo "\n    > Tutorial : http://skamason.com/7IVq\n";
113.     $totalvuln = $totalvuln + 1;
114. }else{
115.     echo "\n    > Result : 404";
116.     echo "\n    > Not Vulnerable";
117.     $totalnotvuln = $totalnotvuln + 1;
118. }
119. /* Exploit WordPress Plugin Gallery 3.06 - Arbitrary File Upload - ShinChan - N45HT */
120.  
121. /* Exploit WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload - ShinChan - N45HT */
122. echo "\n\n[+] Testing Exploit WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload";
123. $urlppg = "$targets/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/";
124. $curlppg = curl_init();
125. curl_setopt($curlppg, CURLOPT_URL, $urlppg);
126. curl_setopt($curlppg, CURLOPT_FOLLOWLOCATION, 1);
127. curl_setopt($curlppg, CURLOPT_RETURNTRANSFER, 1);
128. $response = curl_exec($curlppg);
129. $httpCode = curl_getinfo($curlppg, CURLINFO_HTTP_CODE);
130. curl_close($curlppg);
131. if($httpCode == 200){
132.     echo "\n    > Result : 200 ok";
133.     echo "\n    > Exploit : WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload";
134.     echo "\n    > Tutorial : http://skamason.com/7IXX\n";
135.     $totalvuln = $totalvuln + 1;
136. }else{
137.     echo "\n    > Result : 404";
138.     echo "\n    > Not Vulnerable";
139.     $totalnotvuln = $totalnotvuln + 1;
140. }
141. /* Exploit WordPress Plugin Photo Gallery 1.2.5 - Unrestricted Arbitrary File Upload - ShinChan - N45HT */
142.  
143. /* Exploit WordPress 4.7.0/4.7.1 Content Injection - ShinChan - N45HT */
144. echo "\n\n[+] Testing Exploit WordPress 4.7.0/4.7.1 Content Injection";
145. $urlci = "$targets/wp-json/wp/v2/posts";
146. $curlci = curl_init();
147. curl_setopt($curlci, CURLOPT_URL, $urlci);
148. curl_setopt($curlci, CURLOPT_FOLLOWLOCATION, 1);
149. curl_setopt($curlci, CURLOPT_RETURNTRANSFER, 1);
150. $response = curl_exec($curlci);
151. $httpCode = curl_getinfo($curlci, CURLINFO_HTTP_CODE);
152. curl_close($curlci);
153. if($httpCode == 200){
154.     echo "\n    > Result : 200 ok";
155.     echo "\n    > Exploit : WordPress 4.7.0/4.7.1 Content Injection";
156.     echo "\n    > Tutorial : http://skamason.com/7IcE or http://skamason.com/7IeF\n";
157.     $totalvuln = $totalvuln + 1;
158. }else{
159.     echo "\n    > Result : 404";
160.     echo "\n    > Not Vulnerable";
161.     $totalnotvuln = $totalnotvuln + 1;
162. }
163. /* Exploit WordPress 4.7.0/4.7.1 Content Injection - ShinChan - N45HT */
164.  
165. /* Exploit WordPress 4.7.0/4.7.1 Username Enumeration - ShinChan - N45HT */
166. echo "\n\n[+] Testing Exploit WordPress 4.7.0/4.7.1 Username Enumeration";
167. $urlue = "$targets/wp-json/wp/v2/users";
168. $curlue = curl_init();
169. curl_setopt($curlue, CURLOPT_URL, $urlue);
170. curl_setopt($curlue, CURLOPT_FOLLOWLOCATION, 1);
171. curl_setopt($curlue, CURLOPT_RETURNTRANSFER, 1);
172. $response = curl_exec($curlue);
173. $httpCode = curl_getinfo($curlue, CURLINFO_HTTP_CODE);
174. curl_close($curlue);
175. if($httpCode == 200){
176.     echo "\n    > Result : 200 ok";
177.     echo "\n    > Exploit : WordPress 4.7.0/4.7.1 Username Enumeration";
178.     echo "\n    > Tutorial : http://skamason.com/7J0E\n";
179.     $totalvuln = $totalvuln + 1;
180. }else{
181.     echo "\n    > Result : 404";
182.     echo "\n    > Not Vulnerable";
183.     $totalnotvuln = $totalnotvuln + 1;
184. }
185. /* Exploit WordPress 4.7.0/4.7.1 Username Enumeration - ShinChan - N45HT */
186.  
187. /* Exploit WordPress Gravity Form Arbitrary File Upload - ShinChan - N45HT */
188. echo "\n\n[+] Testing Exploit WordPress Gravity Form Arbitrary File Upload";
189. $urlgf = "$targets/index.php?gf_page=upload";
190. $curlgf = curl_init();
191. curl_setopt($curlgf, CURLOPT_URL, $urlgf);
192. curl_setopt($curlgf, CURLOPT_FOLLOWLOCATION, 1);
193. curl_setopt($curlgf, CURLOPT_RETURNTRANSFER, 1);
194. $response = curl_exec($curlgf);
195. $httpCode = curl_getinfo($curlgf, CURLINFO_HTTP_CODE);
196. curl_close($curlgf);
197. if($httpCode == 200){
198.     echo "\n    > Result : 200 ok";
199.     echo "\n    > Exploit : WordPress Gravity Form Arbitrary File Upload";
200.     echo "\n    > Tutorial : http://skamason.com/7ItP\n";
201.     $totalvuln = $totalvuln + 1;
202. }else{
203.     echo "\n    > Result : 404";
204.     echo "\n    > Not Vulnerable";
205.     $totalnotvuln = $totalnotvuln + 1;
206. }
207. /* Exploit WordPress Gravity Form Arbitrary File Upload - ShinChan - N45HT */
208.  
209. /* Exploit WordPress Plugin ACF Frontend Display 2.0.5 - ShinChan - N45HT */
210. echo "\n\n[+] Testing Exploit WordPress Plugin ACF Frontend Display 2.0.5";
211. $urlacffd = "$targets/wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php";
212. $curlacffd = curl_init();
213. curl_setopt($curlacffd, CURLOPT_URL, $urlacffd);
214. curl_setopt($curlacffd, CURLOPT_FOLLOWLOCATION, 1);
215. curl_setopt($curlacffd, CURLOPT_RETURNTRANSFER, 1);
216. $response = curl_exec($curlacffd);
217. $httpCode = curl_getinfo($curlacffd, CURLINFO_HTTP_CODE);
218. curl_close($curlacffd);
219. if($httpCode == 200){
220.     echo "\n    > Result : 200 ok";
221.     echo "\n    > Exploit : WordPress Plugin ACF Frontend Display 2.0.5";
222.     echo "\n    > Tutorial : http://skamason.com/7IkS\n";
223.     $totalvuln = $totalvuln + 1;
224. }else{
225.     echo "\n    > Result : 404";
226.     echo "\n    > Not Vulnerable";
227.     $totalnotvuln = $totalnotvuln + 1;
228. }
229. /* Exploit WordPress Plugin ACF Frontend Display 2.0.5 - ShinChan - N45HT */
230.  
231. /* Exploit Wordpress Infocus3 Theme Arbitrary File Download Vulnerability - ShinChan - N45HT */
232. echo "\n\n[+] Testing Exploit Wordpress Infocus3 Theme Arbitrary File Download Vulnerability";
233. $urlifafd = "$targets/wp-content/themes/infocus3/lib/scripts/dl-skin.php";
234. $curlifafd = curl_init();
235. curl_setopt($curlifafd, CURLOPT_URL, $urlifafd);
236. curl_setopt($curlifafd, CURLOPT_FOLLOWLOCATION, 1);
237. curl_setopt($curlifafd, CURLOPT_RETURNTRANSFER, 1);
238. $response = curl_exec($curlifafd);
239. $httpCode = curl_getinfo($curlifafd, CURLINFO_HTTP_CODE);
240. curl_close($curlifafd);
241. if($httpCode == 200){
242.     echo "\n    > Result : 200 ok";
243.     echo "\n    > Exploit : Wordpress Infocus3 Theme Arbitrary File Download Vulnerability";
244.     echo "\n    > Tutorial : http://skamason.com/7Imr\n";
245.     $totalvuln = $totalvuln + 1;
246. }else{
247.     echo "\n    > Result : 404";
248.     echo "\n    > Not Vulnerable";
249.     $totalnotvuln = $totalnotvuln + 1;
250. }
251. /* Exploit Wordpress Infocus3 Theme Arbitrary File Download Vulnerability - ShinChan - N45HT */
252.  
253. /* Exploit WP Install Vulnerability - ShinChan - N45HT */
254. echo "\n\n[+] Testing Exploit WP Install Vulnerability";
255. $urlwpiv = "$targets/wp-admin/install.php";
256. $curlwpiv = curl_init();
257. curl_setopt($curlwpiv, CURLOPT_URL, $urlwpiv);
258. curl_setopt($curlwpiv, CURLOPT_FOLLOWLOCATION, 1);
259. curl_setopt($curlwpiv, CURLOPT_RETURNTRANSFER, 1);
260. $response = curl_exec($curlwpiv);
261. $httpCode = curl_getinfo($curlwpiv, CURLINFO_HTTP_CODE);
262. curl_close($curlwpiv);
263. if($httpCode == 200){
264.     echo "\n    > Result : 200 ok";
265.     echo "\n    > Exploit : WP Install Vulnerability";
266.     echo "\n    > Tutorial : http://skamason.com/7Iri\n";
267.     $totalvuln = $totalvuln + 1;
268. }else{
269.     echo "\n    > Result : 404";
270.     echo "\n    > Not Vulnerable";
271.     $totalnotvuln = $totalnotvuln + 1;
272. }
273. /* Exploit WP Install Vulnerability - ShinChan - N45HT */
274.  
275. /* Exploit WordPress Product Options For WooCommerce Plugin File Upload - ShinChan - N45HT */
276. echo "\n\n[+] Testing Exploit WordPress Product Options For WooCommerce Plugin File Upload";
277. $urlpofw = "$targets/wp-content/plugins/woocommerce-product-options/includes/image-upload.php";
278. $curlpofw = curl_init();
279. curl_setopt($curlpofw, CURLOPT_URL, $urlpofw);
280. curl_setopt($curlpofw, CURLOPT_FOLLOWLOCATION, 1);
281. curl_setopt($curlpofw, CURLOPT_RETURNTRANSFER, 1);
282. $response = curl_exec($curlpofw);
283. $httpCode = curl_getinfo($curlpofw, CURLINFO_HTTP_CODE);
284. curl_close($curlpofw);
285. if($httpCode == 200){
286.     echo "\n    > Result : 200 ok";
287.     echo "\n    > Exploit : WordPress Product Options For WooCommerce Plugin File Upload";
288.     echo "\n    > Tutorial : http://skamason.com/7IxS\n";
289.     $totalvuln = $totalvuln + 1;
290. }else{
291.     echo "\n    > Result : 404";
292.     echo "\n    > Not Vulnerable";
293.     $totalnotvuln = $totalnotvuln + 1;
294. }
295. /* Exploit WordPress Product Options For WooCommerce Plugin File Upload - ShinChan - N45HT */
296.  
297. echo "\n\n [x] Result :";
298. echo "\n    [~] Total Vulnerability = $totalvuln";
299. echo "\n    [~] Total Not Vulnerability = $totalnotvuln\n\n";
300. ?>