WordPress WP-DownloadManager Plugin 1.68.1 - Arbitrary File Upload Vulnerability

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

WordPress WP-DownloadManager Plugin 1.68.1 - Arbitrary File Upload Vulnerability

来源：http://persian-team.ir 作者：MobhaM 发布时间：2016-07-11

######################

# Exploit Title : WordPress WP-DownloadManager Plugin 1.68.1 - Arbitrary File Upload

# Exploit Author : Persian Hack Team

# Vendor Homepage : https://wordpress.org/plugins/wp-downloadmanager/

# Category: [ Webapps ]

# Tested on: [ Win ]

# Version: 1.68.1

# Date: 2016/07/10

######################

#

# PoC:

# Unrestricted File Upload In Admin Panel You Can Upload shell.php

# http://localhost/wp/wp-admin/admin.php?page=wp-downloadmanager/download-add.php

# Find Shell Here : http://localhost/wp/wp-content/files/shell.php

================

Vulnerable code

================

switch( $_POST['do'] ) {

// Add File

case __('Add File', 'wp-downloadmanager'):

$file_type = ! empty( $_POST['file_type']) ? intval( $_POST['file_type'] ) : 0;

switch($file_type) {

case 0:

$file = ! empty( $_POST['file'] ) ? addslashes( wp_kses_post( trim( $_POST['file'] ) ) ) : '';

$file = download_rename_file($file_path, $file);

$file_size = filesize($file_path.$file);

break;

case 1:

if($_FILES['file_upload']['size'] > get_max_upload_size()) {

$text = ''.sprintf(__('File Size Too Large. Maximum Size Is %s', 'wp-downloadmanager'), format_filesize(get_max_upload_size())).'';

break;

} else {

if(is_uploaded_file($_FILES['file_upload']['tmp_name'])) {

$file_upload_to = ! empty( $_POST['file_upload_to'] ) ? $_POST['file_upload_to'] : '';

if( $file_upload_to !== '/' ) {

$file_upload_to = $file_upload_to . '/';

}

if(move_uploaded_file($_FILES['file_upload']['tmp_name'], $file_path.$file_upload_to.basename($_FILES['file_upload']['name']))) {

$file = $file_upload_to.basename($_FILES['file_upload']['name']);

$file = download_rename_file($file_path, $file);

$file_size = filesize($file_path.$file);

} else {

$text = ''.__('Error In Uploading File', 'wp-downloadmanager').'';

break;

}

} else {

$text = ''.__('Error In Uploading File', 'wp-downloadmanager').'';

break;

}

break;

}

} } }

}

#

######################

# Discovered by : Mojtaba MobhaM

# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi &  Milad Hacking & JOK3R & MR.IMAN And All Persian Hack Team Members

# Homepage : http://persian-team.ir

######################

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告