WordPress Levo-Slideshow plugin version 2.3 suffers from a remote shell upload vulnerability.
1e3a87c6e895d83107e72876740165625d6152fbd1f136ce8f74484c904d980d
#Exploit Name: Wordpress Levo-Slideshow 2.3 Shell Upload by Unprivileged
user
#Exploit Date: 5/6/2016
#Author: Aaditya Purani
#Author Blog: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-levoslideshow
#Version: 2.3
#Tested on: Wordpress 4.5.2
Hi This is Aaditya Purani, Let's have look at 0-day Exploit
Plugin Description:
WP- Levoslideshow is a wordpress Plugin is a plugin where users can display
slideshow multiple instance in their post which different categories &
Images.
PoC ( Proof Of Concept ):
1) Login as an unprivileged user, who was no privilege of even uploading a
plugin
2) Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage
3) If any Gallery exists than don't create and go to "Category Management",
Click on "Add New", Upload any .png / ,jpg image from your PC and intercept
the request
4) After Intercepting the request while upload, Send request to Repeater .
And change filename = image.png.php and in $POST image data add your PHP
Backdoor between image chunk . It should look like this
http://postimg.org/image/ih4lwyad7/
5) Forward the request and go to
site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell]
to access your shell.
That's it.
Follow: https://twitter.com/aaditya_purani
Website: https://aaditya.com