Vulners
Lucene search
WordPress Easy Comment Uploads Shell Upload
`#############################################################################################
# #
# Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability #
# #
# Author : Nafsh #
# #
# Discovered By : Tapco Security & Research Lab #
# #
# Home : sec-lab.ir #
# #
# Contact : research [at] sec-lab [dot] ir #
# #
# Date : 4/8/2012 - 13:33 #
# #
# Source : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php #
# #
# DorK :
intext:"Invalid referer" inurl:"upload.php" #
# #
#############################################################################################
# POC: In Previous Version You Can Upload Your Shell With Image MimeType
But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin
# Source :
<?php
// Check referer
wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form')
|| write_js ("alert ('Invalid Referer')")
|| die ('Invalid referer');
// Get needed info
$target_dir = ecu_upload_dir_path ();
$target_url = ecu_upload_dir_url ();
$images_only = get_option ('ecu_images_only');
$max_file_size = get_option ('ecu_max_file_size');
if (!file_exists ($target_dir))
mkdir ($target_dir);
$target_path = find_unique_target ($target_dir
. basename($_FILES['file']['name']));
$target_name = basename ($target_path);
// Debugging message example
// write_js ("alert ('$target_url')");
// Default values
$filecode = "";
$filelink = "";
// Detect whether the uploaded file is an image
$is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']);
$type = ($is_image) ? "img" : "file";
if (!$is_image && $images_only) {
$alert = "Sorry, you can only upload images.";
} else if (filetype_blacklisted() && !filetype_whitelisted()) {
$alert = "You are attempting to upload a file with a disallowed/unsafe filetype!";
# #
# #
# http://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php #
# http://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php
# #
#############################################################################################
# #
# Dem0 : #
# #
# http://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
# #
# http://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
# #
# http://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php
#############################################################################################
# #
# We are : K0242 | Nafsh | Ehram.shahmohamadi #
# #
# Greetz : All sec-lab researchers #
# #
#############################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Aug 2012 00:00Current
7.4High risk
Vulners AI Score7.4