API tools faq
paste
KingSkrupellos

WordPress Share-Buttons Plugins 4.9.9 Shell Upload Vuln

KingSkrupellos
Dec 23rd, 2018
560
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.90 KB | None | 0 0
raw download clone embed print report
  1. #################################################################################################
  2.  
  3. # Exploit Title : WordPress Share-Buttons Plugins 4.9.9 Remote Shell Upload Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
  5. # Date : 22/12/2018
  6. # Vendor Homepage : wordpress.org ~ sbuttons.ru
  7. # Software Download Link : atwebresults.com/php_ajax_image_upload/
  8. + wordpress.org/plugins/tags/share-buttons/
  9. + raw.githubusercontent.com/usaphp/plufit/master/wp-content/plugins/share-buttons/upload/index.php
  10. # Tested On : Windows and Linux
  11. # Category : WebApps
  12. # Version Information : V2.7 ~ V4.0 ~ V4.4.2 ~ V4.6.1 ~ V4.7.12 ~ V4.8.8 ~ V4.9.7 ~ V4.9.8 ~ V4.9.9
  13. + Apache 2.4.10 ~ Apache 2.4.33 ~ Apache 2.4.35 ~ PHP 5.6.38 ~ OpenSSL 0.9.8e ~ UNIX OS ~
  14. + jQuery 1.8.2 ~ Nginx 1.12.2 ~ Nginx 1.10.3
  15. # Exploit Risk : Medium
  16. # Google Dorks : inurl:''/wp-content/plugins/share-buttons/''
  17. + intext:''Sleeker More "Web 2.0" onChange Use'' /wp-content/plugins/share-buttons/
  18. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
  19. + CWE-434- [ Unrestricted Upload of File with Dangerous Type ]
  20.  
  21. #################################################################################################
  22.  
  23. # Admin Panel Login Path :
  24.  
  25. /wp-login.php
  26.  
  27. # Arbitrary File Upload/Remote Shell Upload Exploit :
  28.  
  29. /wp-content/plugins/share-buttons/upload/index.php
  30.  
  31. /wp-content/plugins/share-buttons/upload/scripts/ajaxupload.php
  32.  
  33. Error : Error(s) Found: File Size Empty,
  34.  
  35. # Directory File Path :
  36.  
  37. /wp-content/plugins/share-buttons/upload/uploads/[FILENAMEHERE]_[RANDOM-NUMBERS].png
  38.  
  39. # Note : .php;.gif ~ .asp;.png ~ .shtml.fla;.jpeg
  40.  
  41. #################################################################################################
  42.  
  43. Vulnerable File Code : /upload/index.php
  44.  
  45. ************************************
  46.  
  47. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  48. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  49. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  50. <head>
  51. <meta http-equiv="content-type" content="text/html;charset=utf-8" />
  52. <title>PHP AJAX Image Upload, Truly Web 2.0!</title>
  53. <link href="css/styles.css" rel="stylesheet" type="text/css" media="all" />
  54. <!-- MAKE SURE TO REFERENCE THIS FILE! -->
  55. <script type="text/javascript" src="scripts/ajaxupload.js"></script>
  56. <!-- END REQUIRED JS FILES -->
  57. <!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
  58. <style type="text/css">
  59. iframe {
  60. display:none;
  61. }
  62. </style>
  63. <!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
  64. </head>
  65. <body>
  66. <div id="container">
  67. <!-- THIS IS THE IMPORTANT STUFF! -->
  68. <div id="demo_area">
  69. <div id="left_col">
  70. <!--
  71. VERY IMPORTANT! Update the form elements below ajaxUpload fields:
  72. 1. form - the form to submit or the ID of a form (ex. this.form or standard_use)
  73. 2. url_action - url to submit the form. like 'action' parameter of forms.
  74. 3. id_element - element that will receive return of upload.
  75. 4. html_show_loading - Text (or image) that will be show while loading
  76. 5. html_error_http - Text (or image) that will be show if HTTP error.
  77.  
  78. VARIABLE PASSED BY THE FORM:
  79. maximum allowed file size in bytes:
  80. maxSize = 9999999999
  81.  
  82. maximum image width in pixels:
  83. maxW = 100
  84.  
  85. maximum image height in pixels:
  86. maxH = 100
  87.  
  88. the full path to the image upload folder:
  89. fullPath = http://www.atwebresults.com/php_ajax_image_upload/uploads/
  90.  
  91. the relative path from scripts/ajaxupload.php -> uploads/ folder
  92. relPath = ../uploads/
  93.  
  94. The next 3 are for cunstom matte color of transparent images (gif,png), use RGB value
  95. colorR = 255
  96. colorG = 255
  97. colorB = 255
  98.  
  99. The form name of the file upload script
  100. filename = filename
  101. -->
  102. <fieldset>
  103. <legend>Sleeker More "Web 2.0" onChange Use</legend>
  104. <form action="index.php" method="post" name="sleeker" id="sleeker" enctype="multipart/form-data">
  105. <input type="hidden" name="maxSize" value="9999999999" />
  106. <input type="hidden" name="maxW" value="200" />
  107. <input type="hidden" name="fullPath" value="http://test-wordpress.kg/upload/uploads/" />
  108. <input type="hidden" name="relPath" value="../uploads/" />
  109. <input type="hidden" name="colorR" value="255" />
  110. <input type="hidden" name="colorG" value="255" />
  111. <input type="hidden" name="colorB" value="255" />
  112. <input type="hidden" name="maxH" value="300" />
  113. <input type="hidden" name="filename" value="filename" />
  114. <p><input type="file" name="filename" onchange="ajaxUpload(this.form,'scripts/ajaxupload.php?filename=name&amp;maxSize=9999999999&amp;maxW=200&amp;fullPath=http://test-wordprees.kg/upload/uploads/&amp;relPath=../uploads/&amp;colorR=255&amp;colorG=255&amp;colorB=255&amp;maxH=300','upload_area','File Uploading Please Wait...&lt;br /&gt;&lt;img src=\'images/loader_light_blue.gif\' width=\'128\' height=\'15\' border=\'0\' /&gt;','&lt;img src=\'images/error.gif\' width=\'16\' height=\'16\' border=\'0\' /&gt; Error in Upload, check settings and path info in source code.'); return false;" /></p>
  115. </form>
  116. </fieldset>
  117. <br /><small style="font-weight: bold; font-style:italic;">Supported File Types: gif, jpg, png</small>
  118. </div>
  119. <div id="right_col">
  120. <?php
  121.  
  122. ?>
  123. <div id="upload_area"><img src="uploads/logo.png">
  124. </div>
  125. </div>
  126. <div class="clear"> </div>
  127. </div>
  128. <!-- END IMPORTANT STUFF -->
  129. </body>
  130. </html>
  131.  
  132. #################################################################################################
  133.  
  134. # Example Vulnerable Sites =>
  135.  
  136. [+] russia.starchildglobal.com/wp-content/plugins/share-buttons/upload/index.php
  137.  
  138. [+] viatec.md/wp-content/plugins/share-buttons/upload/index.php
  139.  
  140. [+] outfund.ru/wp-content/plugins/share-buttons/upload/index.php
  141.  
  142. [+] cnho.ru/wp-content/plugins/share-buttons/upload/index.php
  143.  
  144. [+] like-tv.tv/wp-content/plugins/share-buttons/upload/index.php
  145.  
  146. [+] eparhia-tmb.ru/wp-content/plugins/share-buttons/upload/index.php
  147.  
  148. [+] unost.org/wp-content/plugins/share-buttons/upload/index.php
  149.  
  150. [+] hww.ru/wp/wp-content/plugins/share-buttons/upload/index.php
  151.  
  152. [+] daode.com.ua/wp-content/plugins/share-buttons/upload/index.php
  153.  
  154. [+] udacha.pro/wp-content/plugins/share-buttons/upload/index.php
  155.  
  156. [+] brukioptom.com.ua/wp-content/plugins/share-buttons/upload/index.php
  157.  
  158. [+] poddelki.net/wp-content/plugins/share-buttons/upload/index.php
  159.  
  160. [+] spblago.ru/wp-content/plugins/share-buttons/upload/index.php
  161.  
  162. #################################################################################################
  163.  
  164. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  165.  
  166. #################################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!