Home / exploits WordPress Easy Comment Uploads Shell Upload
Posted on 06 August 2012
############################################################################################# # # # Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability # # # # Author : Nafsh # # # # Discovered By : Tapco Security & Research Lab # # # # Home : sec-lab.ir # # # # Contact : research [at] sec-lab [dot] ir # # # # Date : 4/8/2012 - 13:33 # # # # Source : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php # # # # DorK : intext:"Invalid referer" inurl:"upload.php" # # # ############################################################################################# # POC: In Previous Version You Can Upload Your Shell With Image MimeType But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin # Source : <?php // Check referer wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form') || write_js ("alert ('Invalid Referer')") || die ('Invalid referer'); // Get needed info $target_dir = ecu_upload_dir_path (); $target_url = ecu_upload_dir_url (); $images_only = get_option ('ecu_images_only'); $max_file_size = get_option ('ecu_max_file_size'); if (!file_exists ($target_dir)) mkdir ($target_dir); $target_path = find_unique_target ($target_dir . basename($_FILES['file']['name'])); $target_name = basename ($target_path); // Debugging message example // write_js ("alert ('$target_url')"); // Default values $filecode = ""; $filelink = ""; // Detect whether the uploaded file is an image $is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']); $type = ($is_image) ? "img" : "file"; if (!$is_image && $images_only) { $alert = "Sorry, you can only upload images."; } else if (filetype_blacklisted() && !filetype_whitelisted()) { $alert = "You are attempting to upload a file with a disallowed/unsafe filetype!"; # # # # # http://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php # # http://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php # # ############################################################################################# # # # Dem0 : # # # # http://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php # # # http://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php # # # http://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php ############################################################################################# # # # We are : K0242 | Nafsh | Ehram.shahmohamadi # # # # Greetz : All sec-lab researchers # # # #############################################################################################
