WordPress WP-DownloadManager Plugin 1.68.1 - Arbitrary File Upload Vulnerability



EKU-ID: 5679 CVE: OSVDB-ID:
Author: Mojtaba MobhaM Published: 2016-07-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


######################
# Exploit Title : WordPress WP-DownloadManager Plugin 1.68.1 - Arbitrary File Upload
# Exploit Author : Persian Hack Team
# Vendor Homepage : https://wordpress.org/plugins/wp-downloadmanager/
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 1.68.1
# Date: 2016/07/10
######################
#
# PoC:
# Unrestricted File Upload In Admin Panel You Can Upload shell.php 
# http://localhost/wp/wp-admin/admin.php?page=wp-downloadmanager/download-add.php
# Find Shell Here : http://localhost/wp/wp-content/files/shell.php
  
================
 Vulnerable code
================
  
switch( $_POST['do'] ) {
        // Add File
        case __('Add File', 'wp-downloadmanager'):
            $file_type = ! empty( $_POST['file_type']) ? intval( $_POST['file_type'] ) : 0;
            switch($file_type) {
                case 0:
                    $file = ! empty( $_POST['file'] ) ? addslashes( wp_kses_post( trim( $_POST['file'] ) ) ) : '';
                    $file = download_rename_file($file_path, $file);
                    $file_size = filesize($file_path.$file);
                    break;
                case 1:
                    if($_FILES['file_upload']['size'] > get_max_upload_size()) {
                        $text = '<p style="color: red;">'.sprintf(__('File Size Too Large. Maximum Size Is %s', 'wp-downloadmanager'), format_filesize(get_max_upload_size())).'</p>';
                        break;
                    } else {
                        if(is_uploaded_file($_FILES['file_upload']['tmp_name'])) {
                            $file_upload_to = ! empty( $_POST['file_upload_to'] ) ? $_POST['file_upload_to'] : '';
                            if( $file_upload_to !== '/' ) {
                                $file_upload_to = $file_upload_to . '/';
                            }
                            if(move_uploaded_file($_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to.basename($_FILES['file_upload']['name']))) {
                                $file = $file_upload_to.basename($_FILES['file_upload']['name']);
                                $file = download_rename_file($file_path, $file);
                                $file_size = filesize($file_path.$file);
                            } else {
                                $text = '<p style="color: red;">'.__('Error In Uploading File', 'wp-downloadmanager').'</p>';
                                break;
                            }
                        } else {
                            $text = '<p style="color: red;">'.__('Error In Uploading File', 'wp-downloadmanager').'</p>';
                            break;
                        }
                    }
                    break;
                                        }
                                          
        }     }   }
    }
  
  
  
#
######################
# Discovered by :  Mojtaba MobhaM 
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi &  Milad Hacking & JOK3R & MR.IMAN And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################