WordPress Responsive Thumbnail Slider 1.0 Shell Upload

2015.08.28

Credit: Arash Khazaei

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-264

<!--
# Exploit Title: Wordpress Responsive Thumbnail Slider Arbitrary File Upload
# Date: 2015/8/29
# Exploit Author: Arash Khazaei
# Vendor Homepage:
https://wordpress.org/plugins/wp-responsive-thumbnail-slider/
# Software Link:
https://downloads.wordpress.org/plugin/wp-responsive-thumbnail-slider.zip
# Version: 1.0
# Tested on: Kali , Iceweasel Browser
# CVE : N/A
# Contact : http://twitter.com/0xClay
# Email : 0xclay@gmail.com
# Site : http://bhunter.ir
# Intrduction :
# Wordpress Responsive Thumbnail Slider Plugin iS A With 6000+ Active
Install
# And Suffer From A File Upload Vulnerability Allow Attacker Upload Shell
As A Image .
# Authors , Editors And Of Course Administrators This Vulnerability To Harm
WebSite .
-->
# POC :
# For Exploiting This Vulnerability :
# Go To Add Image Section And Upload File By Self Plugin Uploader
# Then Upload File With Double Extension Image
# And By Using A BurpSuite Or Tamper Data Change The File Name From
Shell.php.jpg To Shell.php
# And Shell Is Uploaded . :)
<!-- Discovered By Arash Khazaei (Aka JunkyBoy) -->

References:

https://downloads.wordpress.org/plugin/wp-responsive-thumbnail-slider.zip

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Responsive Thumbnail Slider 1.0 Shell Upload

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.