Arbitrary File Download & File Deletion Exploit

Details

The vulnerable file is located at http://localhost/wp-content/themes/{NAME-THEME}/lib/scripts/dl-skin.php In exploit code, file name in first text box should be readable on the vulnerable server, then the vulnerable code allows it to be downloaded from the server. And the second textbox accepts a directory path. If it is writeable then vulnerable code will delete its contents. An attacker can download readable files from the server and also can delete contents of writeable directories.

How to Use

• Cukup membaca di setiap nama file/theme yang ada di repository Arbitrary File Download & File Deletion Exploit (AFDFDE).

Require

• Browser (Google-Chrome/Chromium, Firefox, IE, etc browser)
• Text Editor (Notepad/++, Dreamweaver, Sublimetext, etc editor)

Operating System

• Windows
• Mac
• Linux

If: Use application with Ruby CLI (ruby-AFDFDE)

• Go to repository with ruby-AFDFDE
• ruby
• rubygems
• curb

List of Theme

• Awake Wordpress Theme
• Construct Wordpress Theme
• Dejavu Wordpress Theme
• Echelon Wordpress Theme
• Elegance Wordpress Theme
• Fusion Wordpress Theme
• Infocus Wordpress Theme
• Mega Stream Wordpress Theme
• Method Wordpress Theme
• Modular Wordpress Theme
• MyRiad Wordpress Theme
• Oakrealty Wordpress Theme
• Persuasion Wordpress Theme
• Others exploit the fund will be updated as time goes by CaFc Versace

Lean to Be Better

www.surabayablackhat.org