WordPress File Uploader Plugin PHP File Upload Vulnerability

WordPress ve joomlanın bitip tükenmeyen PHP file uload açıkları tüm hızıyla bulunmaya devam ediliyor.
Gene wordpress eklentilerinden File Uplooder Eklentisinde bulunan açık ve kullanım şekli şu şekilde;

# Exploit Title: WordPress File Uploader Plugin PHP File Upload Vulnerability
# Date: 01/21/2013
# Google Dork: inurl:"wp-file-uploader.php"
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/wordpress-file-uploader-1.1.txt
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-file-uploader/
# Software Link: http://downloads.wordpress.org/plugin/wp-file-uploader.zip
# Version: 1.1 and probably prior
# Tested on: WordPress 3.5 on Windows and Linux
 
Vulnerable Code: (process-form.php)
 
97: $filepart = fileinformation( $_FILES['postimage']['name'] );
98: $filename = $filepart['basename'];
99: // check if this filename already exist in the folder
100: $i = 2;
101: while ( in_array( $filename, $imageslist ) ) {
102: $filename = $filepart['filename'] . '_' . $i++ . '.' .$filepart['extension'];
103: }
104:  move_uploaded_file($_FILES["postimage"]["tmp_name"], $file_path.$filename);
 
Description:
 
Plugin simply upload the attachment with original name and extension to "wp-content/uploads/".
An attacker can upload php files and access them from remote.
 
Proof of Concept:
 
1. Visit vulnerable target and navigate to the "File Uploader" site.
2. Upload a file named shell.php
3. Access it with the browser on example.com/wp-content/uploads/shell.php
 
Done!
 
Proof Video: http://goo.gl/ogbsA

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir