WordPress Share-Buttons 4.9.9 Shell Upload

#170
Topic created · 1 Posts · 1 Views
  • WordPress Share-Buttons plugin version 4.9.9 suffers from a remote shell upload vulnerability.
    MD5 | 0030f65379b39dd239748ae97d8bfba0
    Download

    #################################################################################################  
    # Exploit Title : WordPress Share-Buttons Plugins 4.9.9 Remote Shell Upload  
    Vulnerability  
    # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security  
    Army  
    # Date : 22/12/2018  
    # Vendor Homepage : wordpress.org ~ sbuttons.ru  
    # Software Download Link : atwebresults.com/php_ajax_image_upload/  
    + wordpress.org/plugins/tags/share-buttons/  
    +  
    raw.githubusercontent.com/usaphp/plufit/master/wp-content/plugins/share-buttons/upload/index.php  
    # Tested On : Windows and Linux  
    # Category : WebApps  
    # Version Information : V2.7 ~ V4.0 ~ V4.4.2 ~ V4.6.1 ~ V4.7.12 ~ V4.8.8 ~  
    V4.9.7 ~ V4.9.8 ~ V4.9.9  
    + Apache 2.4.10 ~ Apache 2.4.33 ~ Apache 2.4.35 ~ PHP 5.6.38 ~ OpenSSL  
    0.9.8e ~ UNIX OS ~  
    +  jQuery 1.8.2 ~ Nginx 1.12.2 ~ Nginx 1.10.3  
    # Exploit Risk : Medium  
    # Google Dorks :  inurl:''/wp-content/plugins/share-buttons/''  
    + intext:''Sleeker More "Web 2.0" onChange Use''  
    /wp-content/plugins/share-buttons/  
    # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access  
    Controls ]  
    + CWE-434- [ Unrestricted Upload of File with Dangerous Type ]  
    #################################################################################################  
    # Admin Panel Login Path :  
    /wp-login.php  
    # Arbitrary File Upload/Remote Shell Upload Exploit :  
    /wp-content/plugins/share-buttons/upload/index.php  
    /wp-content/plugins/share-buttons/upload/scripts/ajaxupload.php  
    Error : Error(s) Found: File Size Empty,  
    # Directory File Path :  
    /wp-content/plugins/share-buttons/upload/uploads/[FILENAMEHERE]_[RANDOM-NUMBERS].png  
    # Note : .php;.gif ~ .asp;.png ~ .shtml.fla;.jpeg  
    #################################################################################################  
    Vulnerable File Code : /upload/index.php  
    ************************************  
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  
    <head>  
    <meta http-equiv="content-type" content="text/html;charset=utf-8" />  
    <title>PHP AJAX Image Upload, Truly Web 2.0!</title>  
    <link href="css/styles.css" rel="stylesheet" type="text/css" media="all" />  
    <!-- MAKE SURE TO REFERENCE THIS FILE! -->  
    <script type="text/javascript" src="scripts/ajaxupload.js"></script>  
    <!-- END REQUIRED JS FILES -->  
    <!-- THIS CSS MAKES THE IFRAME NOT JUMP -->  
    <style type="text/css">  
    iframe {  
    display:none;  
    }  
    </style>  
    <!-- THIS CSS MAKES THE IFRAME NOT JUMP -->  
    </head>  
    <body>  
    <div id="container">  
    <!-- THIS IS THE IMPORTANT STUFF! -->  
    <div id="demo_area">  
    <div id="left_col">  
    <!--  
    VERY IMPORTANT! Update the form elements below ajaxUpload fields:  
    1. form - the form to submit or the ID of a form (ex. this.form or  
    standard_use)  
    2. url_action - url to submit the form. like 'action' parameter of forms.  
    3. id_element - element that will receive return of upload.  
    4. html_show_loading - Text (or image) that will be show while loading  
    5. html_error_http - Text (or image) that will be show if HTTP error.  
    VARIABLE PASSED BY THE FORM:  
    maximum allowed file size in bytes:  
    maxSize = 9999999999  
    maximum image width in pixels:  
    maxW = 100  
    maximum image height in pixels:  
    maxH = 100  
    the full path to the image upload folder:  
    fullPath = http://www.atwebresults.com/php_ajax_image_upload/uploads/  
    the relative path from scripts/ajaxupload.php -> uploads/ folder  
    relPath = ../uploads/  
    The next 3 are for cunstom matte color of transparent images (gif,png), use  
    RGB value  
    colorR = 255  
    colorG = 255  
    colorB = 255  
    The form name of the file upload script  
    filename = filename  
    -->  
    <fieldset>  
    <legend>Sleeker More "Web 2.0" onChange Use</legend>  
    <form action="index.php" method="post" name="sleeker" id="sleeker"  
    enctype="multipart/form-data">  
    <input type="hidden" name="maxSize" value="9999999999" />  
    <input type="hidden" name="maxW" value="200" />  
    <input type="hidden" name="fullPath" value="  
    http://test-wordpress.kg/upload/uploads/" />  
    <input type="hidden" name="relPath" value="../uploads/" />  
    <input type="hidden" name="colorR" value="255" />  
    <input type="hidden" name="colorG" value="255" />  
    <input type="hidden" name="colorB" value="255" />  
    <input type="hidden" name="maxH" value="300" />  
    <input type="hidden" name="filename" value="filename" />  
    <p><input type="file" name="filename"  
    onchange="ajaxUpload(this.form,'scripts/ajaxupload.php?filename=name&maxSize=9999999999&maxW=200&fullPath=  
    http://test-wordprees.kg/upload/uploads/&relPath=../uploads/&colorR=255&colorG=255&colorB=255&maxH=300','upload_area','File  
    Uploading Please Wait...<br /><img  
    src=\'images/loader_light_blue.gif\' width=\'128\' height=\'15\'  
    border=\'0\' />','<img src=\'images/error.gif\' width=\'16\'  
    height=\'16\' border=\'0\' /> Error in Upload, check settings and path  
    info in source code.'); return false;" /></p>  
    </form>  
    </fieldset>  
    <br /><small style="font-weight: bold; font-style:italic;">Supported File  
    Types: gif, jpg, png</small>  
    </div>  
    <div id="right_col">  
    <?php  
    ?>  
    <div id="upload_area"><img src="uploads/logo.png">  
    </div>  
    </div>  
    <div class="clear"> </div>  
    </div>  
    <!-- END IMPORTANT STUFF -->  
    </body>  
    </html>  
    #################################################################################################  
    # Example Vulnerable Sites =>  
    [+]  
    russia.starchildglobal.com/wp-content/plugins/share-buttons/upload/index.php  
    [+] viatec.md/wp-content/plugins/share-buttons/upload/index.php  
    [+] outfund.ru/wp-content/plugins/share-buttons/upload/index.php  
    [+] cnho.ru/wp-content/plugins/share-buttons/upload/index.php  
    [+] like-tv.tv/wp-content/plugins/share-buttons/upload/index.php  
    [+] eparhia-tmb.ru/wp-content/plugins/share-buttons/upload/index.php  
    [+] unost.org/wp-content/plugins/share-buttons/upload/index.php  
    [+] hww.ru/wp/wp-content/plugins/share-buttons/upload/index.php  
    [+] daode.com.ua/wp-content/plugins/share-buttons/upload/index.php  
    [+] udacha.pro/wp-content/plugins/share-buttons/upload/index.php  
    [+] brukioptom.com.ua/wp-content/plugins/share-buttons/upload/index.php  
    [+] poddelki.net/wp-content/plugins/share-buttons/upload/index.php  
    [+] spblago.ru/wp-content/plugins/share-buttons/upload/index.php  
    #################################################################################################  
    # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team  
    #################################################################################################  
    

    Source: packetstormsecurity.com

Log in to reply