SpareNet Servers Advertising & Link Exchange

اطلاعیه

بستن
هیچ اطلاعیه ای هنوز ایجاد نشده است .

Wordpress Easy Comment Uploads Shell Upload Vulnerability

بستن
X
 
  • فیلتر
  • زمان
  • نمایش
پاک کردن همه
نوشته‌های جدید

  • Wordpress Easy Comment Uploads Shell Upload Vulnerability

    [php]################################################## ##########################################
    # #
    # Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability #
    # #
    # Author : Nafsh #
    # #
    # Discovered By : Tapco Security & Research Lab #
    # #
    # Home : sec-lab.ir #
    # #
    # Contact : research [at] sec-lab [dot] ir #
    # #
    # Date : 4/8/2012 - 13:33 #
    # #
    # Source : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php #
    # #
    # DorK :

    intext:"Invalid referer" inurl:"upload.php" #
    # #
    ################################################## ###########################################
    # POC: In Previous Version You Can Upload Your Shell With Image MimeType
    But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin
    # Source :
    <?php
    // Check referer
    wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form')
    || write_js ("alert ('Invalid Referer')")
    || die ('Invalid referer');

    // Get needed info
    $target_dir = ecu_upload_dir_path ();
    $target_url = ecu_upload_dir_url ();
    $images_only = get_option ('ecu_images_only');
    $max_file_size = get_option ('ecu_max_file_size');

    if (!file_exists ($target_dir))
    mkdir ($target_dir);

    $target_path = find_unique_target ($target_dir
    . basename($_FILES['file']['name']));
    $target_name = basename ($target_path);

    // Debugging message example
    // write_js ("alert ('$target_url')");

    // Default values
    $filecode = "";
    $filelink = "";

    // Detect whether the uploaded file is an image
    $is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']);
    $type = ($is_image) ? "img" : "file";

    if (!$is_image && $images_only) {
    $alert = "Sorry, you can only upload images.";
    } else if (filetype_blacklisted() && !filetype_whitelisted()) {
    $alert = "You are attempting to upload a file with a disallowed/unsafe filetype!";
    # #
    # #
    # http://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php #
    # http://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php
    # #
    ################################################## ###########################################
    # #
    # Dem0 : #
    # #
    # http://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
    # #
    # http://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
    # #
    # http://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php
    ################################################## ###########################################
    # #
    # We are : K0242 | Nafsh | Ehram.shahmohamadi #
    # #
    # Greetz : All sec-lab researchers #
    # #
    ################################################## ###########################################[/php]
    به پایان رسیدیم اما نکردیم آغاز
    فرو ریخت پرها نکردیم پرواز

  • #2
    RE: Wordpress Easy Comment Uploads Shell Upload Vulnerability

    سلام
    دوست عزیز یه دورک اگر قرار بدید ممنون میشم

    نظر


    • #3
      RE: Wordpress Easy Comment Uploads Shell Upload Vulnerability

      بفرمایید :
      intext:"Invalid referer" inurl:"upload.php"

      نظر

      صبر کنید ..
      X