Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility

vendor:

Windows Desktop and iPhone Photo Uploader

by:

Manish Kishan Tanwar AKA error1046

7.5

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Windows Desktop and iPhone Photo Uploader

Affected Version From: 1.8

Affected Version To: 1.8

Patch Exists: NO

Related CWE: N/A

CPE: a:wordpress:wordpress_plugin:i-dump-iphone-to-wordpress-photo-uploader

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

WordPress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility

The file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin does not check for file extension before uploading it to the server, making it vulnerable to arbitrary file upload. To exploit this vulnerability, an attacker can open uploader.php in the plugin directory, browse for a PHP shell, and submit it. The shell will then be uploaded to the uploads directory at http://target.com/wp-content/uploads/i-dump-uploads/.

Mitigation:

Ensure that the file uploading code checks for file extensions before uploading it to the server.

Source

Exploit-DB raw data:

##################################################################################################
#Exploit Title : Wordpress plugin Windows Desktop and iPhone Photo Uploader arbitrary file upload vulnerbility
#Author        : Manish Kishan Tanwar AKA error1046
#Home Page     : https://wordpress.org/plugins/i-dump-iphone-to-wordpress-photo-uploader/
#Download Link : https://downloads.wordpress.org/plugin/i-dump-iphone-to-wordpress-photo-uploader.1.8.zip
#Date          : 9/04/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Incredible,Kishan Singh and ritu rathi
#Discovered At : Indishell Lab
##################################################################################################

////////////////////////
/// Overview:
////////////////////////

file uploading code(uploader.php) in Windows Desktop and iPhone Photo Uploader plugin doesnt check for file extension before uploading it to server
and hence vulnerable to arbitrary file upload

////////////////
///  POC   ////
///////////////


Uploading PHP shell 
=================================
Just open uploader.php in plugin directory
http://target.com/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php
browse your php shell and submit it.
after uploading, you will get your shell in uploads directory at following location

http://target.com/wp-content/uploads/i-dump-uploads/

demo:-
http://127.0.0.1/wordpress/wp-content/plugins/i-dump-iphone-to-wordpress-photo-uploader/uploader.php
and upload your shell


                             --==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty and Don(Deepika kaushik)
                       --==[[ Special Fuck goes to ]]==--
                            <3  suriya Cyber Tyson <3