WordPress Easy Comment Uploads Shell Upload

2012-08-04T00:00:00
ID PACKETSTORM:115274
Type packetstorm
Reporter Nafsh
Modified 2012-08-04T00:00:00

Description

                                        
                                            `#############################################################################################  
# #  
# Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability #  
# #  
# Author : Nafsh #  
# #  
# Discovered By : Tapco Security & Research Lab #  
# #  
# Home : sec-lab.ir #  
# #  
# Contact : research [at] sec-lab [dot] ir #  
# #  
# Date : 4/8/2012 - 13:33 #  
# #  
# Source : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php #  
# #  
# DorK :   
  
intext:"Invalid referer" inurl:"upload.php" #  
# #  
#############################################################################################  
# POC: In Previous Version You Can Upload Your Shell With Image MimeType  
But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin  
# Source :  
<?php  
// Check referer  
wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form')  
|| write_js ("alert ('Invalid Referer')")  
|| die ('Invalid referer');  
  
// Get needed info  
$target_dir = ecu_upload_dir_path ();  
$target_url = ecu_upload_dir_url ();  
$images_only = get_option ('ecu_images_only');  
$max_file_size = get_option ('ecu_max_file_size');  
  
if (!file_exists ($target_dir))  
mkdir ($target_dir);  
  
$target_path = find_unique_target ($target_dir  
. basename($_FILES['file']['name']));  
$target_name = basename ($target_path);  
  
// Debugging message example  
// write_js ("alert ('$target_url')");  
  
// Default values  
$filecode = "";  
$filelink = "";  
  
// Detect whether the uploaded file is an image  
$is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']);  
$type = ($is_image) ? "img" : "file";  
  
if (!$is_image && $images_only) {  
$alert = "Sorry, you can only upload images.";  
} else if (filetype_blacklisted() && !filetype_whitelisted()) {  
$alert = "You are attempting to upload a file with a disallowed/unsafe filetype!";  
# #  
# #  
# http://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php #  
# http://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php  
# #  
#############################################################################################  
# #  
# Dem0 : #  
# #  
# http://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php   
# #  
# http://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php  
# #  
# http://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php  
#############################################################################################  
# #  
# We are : K0242 | Nafsh | Ehram.shahmohamadi #  
# #  
# Greetz : All sec-lab researchers #  
# #  
#############################################################################################  
`