Vulners
Lucene search
WordPress Share-Buttons 4.9.9 Shell Upload
🗓️ 22 Dec 2018 00:00:00Reported by KingSkrupellosType 
packetstorm🔗 packetstormsecurity.com👁 167 Views
`#################################################################################################
# Exploit Title : WordPress Share-Buttons Plugins 4.9.9 Remote Shell Upload
Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Date : 22/12/2018
# Vendor Homepage : wordpress.org ~ sbuttons.ru
# Software Download Link : atwebresults.com/php_ajax_image_upload/
+ wordpress.org/plugins/tags/share-buttons/
+
raw.githubusercontent.com/usaphp/plufit/master/wp-content/plugins/share-buttons/upload/index.php
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : V2.7 ~ V4.0 ~ V4.4.2 ~ V4.6.1 ~ V4.7.12 ~ V4.8.8 ~
V4.9.7 ~ V4.9.8 ~ V4.9.9
+ Apache 2.4.10 ~ Apache 2.4.33 ~ Apache 2.4.35 ~ PHP 5.6.38 ~ OpenSSL
0.9.8e ~ UNIX OS ~
+ jQuery 1.8.2 ~ Nginx 1.12.2 ~ Nginx 1.10.3
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/share-buttons/''
+ intext:''Sleeker More "Web 2.0" onChange Use''
/wp-content/plugins/share-buttons/
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]
+ CWE-434- [ Unrestricted Upload of File with Dangerous Type ]
#################################################################################################
# Admin Panel Login Path :
/wp-login.php
# Arbitrary File Upload/Remote Shell Upload Exploit :
/wp-content/plugins/share-buttons/upload/index.php
/wp-content/plugins/share-buttons/upload/scripts/ajaxupload.php
Error : Error(s) Found: File Size Empty,
# Directory File Path :
/wp-content/plugins/share-buttons/upload/uploads/[FILENAMEHERE]_[RANDOM-NUMBERS].png
# Note : .php;.gif ~ .asp;.png ~ .shtml.fla;.jpeg
#################################################################################################
Vulnerable File Code : /upload/index.php
************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<title>PHP AJAX Image Upload, Truly Web 2.0!</title>
<link href="css/styles.css" rel="stylesheet" type="text/css" media="all" />
<!-- MAKE SURE TO REFERENCE THIS FILE! -->
<script type="text/javascript" src="scripts/ajaxupload.js"></script>
<!-- END REQUIRED JS FILES -->
<!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
<style type="text/css">
iframe {
display:none;
}
</style>
<!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
</head>
<body>
<div id="container">
<!-- THIS IS THE IMPORTANT STUFF! -->
<div id="demo_area">
<div id="left_col">
<!--
VERY IMPORTANT! Update the form elements below ajaxUpload fields:
1. form - the form to submit or the ID of a form (ex. this.form or
standard_use)
2. url_action - url to submit the form. like 'action' parameter of forms.
3. id_element - element that will receive return of upload.
4. html_show_loading - Text (or image) that will be show while loading
5. html_error_http - Text (or image) that will be show if HTTP error.
VARIABLE PASSED BY THE FORM:
maximum allowed file size in bytes:
maxSize = 9999999999
maximum image width in pixels:
maxW = 100
maximum image height in pixels:
maxH = 100
the full path to the image upload folder:
fullPath = http://www.atwebresults.com/php_ajax_image_upload/uploads/
the relative path from scripts/ajaxupload.php -> uploads/ folder
relPath = ../uploads/
The next 3 are for cunstom matte color of transparent images (gif,png), use
RGB value
colorR = 255
colorG = 255
colorB = 255
The form name of the file upload script
filename = filename
-->
<fieldset>
<legend>Sleeker More "Web 2.0" onChange Use</legend>
<form action="index.php" method="post" name="sleeker" id="sleeker"
enctype="multipart/form-data">
<input type="hidden" name="maxSize" value="9999999999" />
<input type="hidden" name="maxW" value="200" />
<input type="hidden" name="fullPath" value="
http://test-wordpress.kg/upload/uploads/" />
<input type="hidden" name="relPath" value="../uploads/" />
<input type="hidden" name="colorR" value="255" />
<input type="hidden" name="colorG" value="255" />
<input type="hidden" name="colorB" value="255" />
<input type="hidden" name="maxH" value="300" />
<input type="hidden" name="filename" value="filename" />
<p><input type="file" name="filename"
onchange="ajaxUpload(this.form,'scripts/ajaxupload.php?filename=name&maxSize=9999999999&maxW=200&fullPath=
http://test-wordprees.kg/upload/uploads/&relPath=../uploads/&colorR=255&colorG=255&colorB=255&maxH=300','upload_area','File
Uploading Please Wait...<br /><img
src=\'images/loader_light_blue.gif\' width=\'128\' height=\'15\'
border=\'0\' />','<img src=\'images/error.gif\' width=\'16\'
height=\'16\' border=\'0\' /> Error in Upload, check settings and path
info in source code.'); return false;" /></p>
</form>
</fieldset>
<br /><small style="font-weight: bold; font-style:italic;">Supported File
Types: gif, jpg, png</small>
</div>
<div id="right_col">
<?php
?>
<div id="upload_area"><img src="uploads/logo.png">
</div>
</div>
<div class="clear"> </div>
</div>
<!-- END IMPORTANT STUFF -->
</body>
</html>
#################################################################################################
# Example Vulnerable Sites =>
[+]
russia.starchildglobal.com/wp-content/plugins/share-buttons/upload/index.php
[+] viatec.md/wp-content/plugins/share-buttons/upload/index.php
[+] outfund.ru/wp-content/plugins/share-buttons/upload/index.php
[+] cnho.ru/wp-content/plugins/share-buttons/upload/index.php
[+] like-tv.tv/wp-content/plugins/share-buttons/upload/index.php
[+] eparhia-tmb.ru/wp-content/plugins/share-buttons/upload/index.php
[+] unost.org/wp-content/plugins/share-buttons/upload/index.php
[+] hww.ru/wp/wp-content/plugins/share-buttons/upload/index.php
[+] daode.com.ua/wp-content/plugins/share-buttons/upload/index.php
[+] udacha.pro/wp-content/plugins/share-buttons/upload/index.php
[+] brukioptom.com.ua/wp-content/plugins/share-buttons/upload/index.php
[+] poddelki.net/wp-content/plugins/share-buttons/upload/index.php
[+] spblago.ru/wp-content/plugins/share-buttons/upload/index.php
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2018 00:00Current
7.4High risk
Vulners AI Score7.4