Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : WordPress fuecaHome Plugins Unauthorized File Insertation
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 06/03/2019
- # Vendor Homepage : wordpress.org ~ fueca.es
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Impact :
- ***********
- WordPress fuecaHome Plugins is prone to an arbitrary file upload vulnerability.
- An attacker may leverage this issue to upload arbitrary files to the affected computer;
- this can result in arbitrary code execution within the context of the vulnerable application.
- Weaknesses in this category are related to the management of permissions,
- privileges, and other security features that are used to perform access control.
- ####################################################################
- # Arbitrary File Upload Exploit :
- ****************************
- /wp-content/plugins/fuecaHome/includes/formulario/frm_aspectos_documentos_adjuntos.php
- ####################################################################
- # Vulnerable Source Code : [ /frm_aspectos_documentos_adjuntos.php ]
- ****************************************************************
- <head/><link rel="stylesheet" href="http://formacion.fueca.org/css/jquery.fileupload.css">
- <link rel="stylesheet" href="//ajax.googleapis.com/ajax/libs/jqueryui/1.11.1/themes/dark-hive/jquery-ui.css" id="theme">
- <!-- Demo styles -->
- <link rel="stylesheet" href="http://formacion.fueca.org/css/demo.css">
- <!--[if lte IE 8]>
- <link rel="stylesheet" href="css/demo-ie8.css">
- <![endif]-->
- <!-- blueimp Gallery styles -->
- <link rel="stylesheet" href="//blueimp.github.io/Gallery/css/blueimp-gallery.min.css">
- <!-- CSS to style the file input field as button and adjust the Bootstrap progress bars -->
- <link rel="stylesheet" href="http://formacion.fueca.org/css/jquery.fileupload.css">
- <link rel="stylesheet" href="http://formacion.fueca.org/css/jquery.fileupload-ui.css">
- <!-- CSS adjustments for browsers with JavaScript disabled -->
- <noscript><link rel="stylesheet" href="css/jquery.fileupload-noscript.css"></noscript>
- <noscript><link rel="stylesheet" href="css/jquery.fileupload-ui-noscript.css"></noscript>
- <ul class="navigation">
- <li><h3><a href="https://github.com/blueimp/jQuery-File-Upload">jQuery File Upload</a></h3></li>
- <li><a href="https://github.com/blueimp/jQuery-File-Upload/tags">Download</a></li>
- <li><a href="https://github.com/blueimp/jQuery-File-Upload">Source Code</a></li>
- <li><a href="https://github.com/blueimp/jQuery-File-Upload/wiki">Documentation</a></li>
- <li><a href="https://blueimp.net">© blueimp.net</a></li>
- </ul>
- <h1>jQuery File Upload Demo</h1>
- <h2>jQuery UI version</h2>
- <form>
- <label for="theme-switcher">Theme:</label>
- <select id="theme-switcher" class="pull-right">
- <option value="black-tie">Black Tie</option>
- <option value="blitzer">Blitzer</option>
- <option value="cupertino">Cupertino</option>
- <option value="dark-hive" selected>Dark Hive</option>
- <option value="dot-luv">Dot Luv</option>
- <option value="eggplant">Eggplant</option>
- <option value="excite-bike">Excite Bike</option>
- <option value="flick">Flick</option>
- <option value="hot-sneaks">Hot sneaks</option>
- <option value="humanity">Humanity</option>
- <option value="le-frog">Le Frog</option>
- <option value="mint-choc">Mint Choc</option>
- <option value="overcast">Overcast</option>
- <option value="pepper-grinder">Pepper Grinder</option>
- <option value="redmond">Redmond</option>
- <option value="smoothness">Smoothness</option>
- <option value="south-street">South Street</option>
- <option value="start">Start</option>
- <option value="sunny">Sunny</option>
- <option value="swanky-purse">Swanky Purse</option>
- <option value="trontastic">Trontastic</option>
- <option value="ui-darkness">UI Darkness</option>
- <option value="ui-lightness">UI Lightness</option>
- <option value="vader">Vader</option>
- </select>
- </form>
- <ul class="navigation">
- <li><a href="basic.html">Basic</a></li>
- <li><a href="basic-plus.html">Basic Plus</a></li>
- <li><a href="index.html">Basic Plus UI</a></li>
- <li><a href="angularjs.html">AngularJS</a></li>
- <li class="active"><a href="jquery-ui.html">jQuery UI</a></li>
- </ul>
- <blockquote>
- <p>File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery UI.<br>
- Supports cross-domain, chunked and resumable file uploads and client-side image resizing.<br>
- Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.</p>
- </blockquote>
- <!-- The file upload form used as target for the file upload widget -->
- <form id="fileupload" action="//jquery-file-upload.appspot.com/" method="POST" enctype="multipart/form-data">
- <!-- Redirect browsers with JavaScript disabled to the origin page -->
- <noscript><input type="hidden" name="redirect" value="https://blueimp.github.io/jQuery-File-Upload/"></noscript>
- <!-- The fileupload-buttonbar contains buttons to add/delete files and start/cancel the upload -->
- <div class="fileupload-buttonbar">
- <div class="fileupload-buttons">
- <!-- The fileinput-button span is used to style the file input field as button -->
- <span class="fileinput-button">
- <span>Add files...</span>
- <input type="file" name="files[]" multiple>
- </span>
- <button type="submit" class="start">Start upload</button>
- <button type="reset" class="cancel">Cancel upload</button>
- <button type="button" class="delete">Delete</button>
- <input type="checkbox" class="toggle">
- <!-- The global file processing state -->
- <span class="fileupload-process"></span>
- </div>
- <!-- The global progress state -->
- <div class="fileupload-progress fade" style="display:none">
- <!-- The global progress bar -->
- <div class="progress" role="progressbar" aria-valuemin="0" aria-valuemax="100"></div>
- <!-- The extended global progress state -->
- <div class="progress-extended"> </div>
- </div>
- </div>
- <!-- The table listing the files available for upload/download -->
- <table role="presentation"><tbody class="files"></tbody></table>
- </form>
- <br>
- <h3>Demo Notes</h3>
- <ul>
- <li>The maximum file size for uploads in this demo is <strong>999 KB</strong> (default file size is unlimited).</li>
- <li>Only image files (<strong>JPG, GIF, PNG</strong>) are allowed in this demo (by default there is no file type restriction).</li>
- <li>Uploaded files will be deleted automatically after <strong>5 minutes or less</strong> (demo files are stored in memory).</li>
- <li>You can <strong>drag & drop</strong> files from your desktop on this webpage (see <a href="https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support">Browser support</a>).</li>
- <li>Please refer to the <a href="https://github.com/blueimp/jQuery-File-Upload">project website</a> and <a href="https://github.com/blueimp/jQuery-File-Upload/wiki">documentation</a> for more information.</li>
- <li>Built with <a href="https://jqueryui.com">jQuery UI</a>.</li>
- </ul>
- <!-- The blueimp Gallery widget -->
- <div id="blueimp-gallery" class="blueimp-gallery blueimp-gallery-controls" data-filter=":even">
- <div class="slides"></div>
- <h3 class="title"></h3>
- <a class="prev">‹</a>
- <a class="next">›</a>
- <a class="close">×</a>
- <a class="play-pause"></a>
- <ol class="indicator"></ol>
- </div>
- <!-- The template to display files available for upload -->
- <script id="template-upload" type="text/x-tmpl">
- {% for (var i=0, file; file=o.files[i]; i++) { %}
- <tr class="template-upload fade">
- <td>
- <span class="preview"></span>
- </td>
- <td>
- <p class="name">{%=file.name%}</p>
- <strong class="error"></strong>
- </td>
- <td>
- <p class="size">Processing...</p>
- <div class="progress"></div>
- </td>
- <td>
- {% if (!i && !o.options.autoUpload) { %}
- <button class="start" disabled>Start</button>
- {% } %}
- {% if (!i) { %}
- <button class="cancel">Cancel</button>
- {% } %}
- </td>
- </tr>
- {% } %}
- </script>
- <!-- The template to display files available for download -->
- <script id="template-download" type="text/x-tmpl">
- {% for (var i=0, file; file=o.files[i]; i++) { %}
- <tr class="template-download fade">
- <td>
- <span class="preview">
- {% if (file.thumbnailUrl) { %}
- <a href="{%=file.url%}" title="{%=file.name%}" download="{%=file.name%}" data-gallery><img src="{%=file.thumbnailUrl%}"></a>
- {% } %}
- </span>
- </td>
- <td>
- <p class="name">
- <a href="{%=file.url%}" title="{%=file.name%}" download="{%=file.name%}" {%=file.thumbnailUrl?'data-gallery':''%}>{%=file.name%}</a>
- </p>
- {% if (file.error) { %}
- <div><span class="error">Error</span> {%=file.error%}</div>
- {% } %}
- </td>
- <td>
- <span class="size">{%=o.formatFileSize(file.size)%}</span>
- </td>
- <td>
- <button class="delete" data-type="{%=file.deleteType%}" data-url="{%=file.deleteUrl%}"{% if (file.deleteWithCredentials) { %} data-xhr-fields='{"withCredentials":true}'{% } %}>Delete</button>
- <input type="checkbox" name="delete" value="1" class="toggle">
- </td>
- </tr>
- {% } %}
- </script>
- <!--<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>-->
- <script src="//ajax.googleapis.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js"></script>
- <!-- The Templates plugin is included to render the upload/download listings -->
- <script src="//blueimp.github.io/JavaScript-Templates/js/tmpl.min.js"></script>
- <!-- The Load Image plugin is included for the preview images and image resizing functionality -->
- <script src="//blueimp.github.io/JavaScript-Load-Image/js/load-image.all.min.js"></script>
- <!-- The Canvas to Blob plugin is included for image resizing functionality -->
- <script src="//blueimp.github.io/JavaScript-Canvas-to-Blob/js/canvas-to-blob.min.js"></script>
- <!-- blueimp Gallery script -->
- <script src="//blueimp.github.io/Gallery/js/jquery.blueimp-gallery.min.js"></script>
- <!-- The Iframe Transport is required for browsers without support for XHR file uploads -->
- <script src="http://formacion.fueca.org/js/jquery.iframe-transport.js"></script>
- <!-- The basic File Upload plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload.js"></script>
- <!-- The File Upload processing plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-process.js"></script>
- <!-- The File Upload image preview & resize plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-image.js"></script>
- <!-- The File Upload audio preview plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-audio.js"></script>
- <!-- The File Upload video preview plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-video.js"></script>
- <!-- The File Upload validation plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-validate.js"></script>
- <!-- The File Upload user interface plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-ui.js"></script>
- <!-- The File Upload jQuery UI plugin -->
- <script src="http://formacion.fueca.org/js/jquery.fileupload-jquery-ui.js"></script>
- <!-- The main application script -->
- <!--<script src="http://formacion.fueca.org/js/main.js"></script>-->
- <script type="text/javascript">
- jQuery(function($){
- $(function () {
- 'use strict';
- // Initialize the jQuery File Upload widget:
- $('#fileupload').fileupload({
- // Uncomment the following to send cross-domain cookies:
- //xhrFields: {withCredentials: true},
- url: '
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] fueca.es/wp-content/plugins/fuecaHome/includes/formulario/frm_aspectos_documentos_adjuntos.php
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement