WordPress Levo-Slideshow 2.3 Shell Upload

2016-06-05T00:00:00
ID PACKETSTORM:137328
Type packetstorm
Reporter Aaditya Purani
Modified 2016-06-05T00:00:00

Description

                                        
                                            `#Exploit Name: Wordpress Levo-Slideshow 2.3 Shell Upload by Unprivileged  
user  
#Exploit Date: 5/6/2016  
#Author: Aaditya Purani  
#Author Blog: https://aadityapurani.com  
#Vendor: https://wordpress.org/plugins/wp-levoslideshow  
#Version: 2.3  
#Tested on: Wordpress 4.5.2  
  
Hi This is Aaditya Purani, Let's have look at 0-day Exploit  
  
Plugin Description:  
  
WP- Levoslideshow is a wordpress Plugin is a plugin where users can display  
slideshow multiple instance in their post which different categories &  
Images.  
  
PoC ( Proof Of Concept ):  
  
1) Login as an unprivileged user, who was no privilege of even uploading a  
plugin  
  
2) Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage  
  
3) If any Gallery exists than don't create and go to "Category Management",  
Click on "Add New", Upload any .png / ,jpg image from your PC and intercept  
the request  
  
4) After Intercepting the request while upload, Send request to Repeater .  
And change filename = image.png.php and in $POST image data add your PHP  
Backdoor between image chunk . It should look like this  
  
http://postimg.org/image/ih4lwyad7/  
  
5) Forward the request and go to  
site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell]  
to access your shell.  
  
That's it.  
Follow: https://twitter.com/aaditya_purani  
Website: https://aaditya.com  
`