what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 5 of 5 RSS Feed

Files from Marc-Alexandre Montpas

First Active2014-07-06
Last Active2023-06-30
WordPress Ultimate Member 2.6.6 Privilege Escalation
Posted Jun 30, 2023
Authored by Marc-Alexandre Montpas, Ramuel Gall, Istvan Marton

WordPress Ultimate Member plugin versions 2.6.6 and below suffer from a privilege escalation vulnerability.

tags | advisory
advisories | CVE-2023-3460
SHA-256 | f5d75217bac851597070df579c5cffbcbc42ab75dddb1476c2fdcaa31a651b75
Joomla HTTP Header Unauthenticated Remote Code Execution
Posted Dec 17, 2015
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5.0 to 3.4.5. By storing user supplied headers in the databases session table it's possible to truncate the input by sending an UTF-8 character. The custom created payload is then executed once the session is read from the database. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13. In later versions the deserialisation of invalid session data stops on the first error and the exploit will not work. The PHP Patch was included in Ubuntu versions 5.5.9+dfsg-1ubuntu4.13 and 5.3.10-1ubuntu3.20 and in Debian in version 5.4.45-0+deb7u1.

tags | exploit, remote, php, code execution
systems | linux, debian, ubuntu
advisories | CVE-2015-8562
SHA-256 | 5a665a27f3d12ff63349cd4ca300cdf8e60e5919f5df2fde458870a5b8bac108
WordPress Platform Theme Remote Code Execution
Posted Feb 4, 2015
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress Theme "platform" contains a remote code execution vulnerability through an unchecked admin_init call. The theme includes the uploaded file from it's temp filename with php's include function.

tags | exploit, remote, php, code execution
SHA-256 | c111d9d51c266ad61917964f9eea57d1334074e2ca4b8eb80252f3ed807ddc0f
Wordpress WPTouch Authenticated File Upload
Posted Jul 15, 2014
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. The user provided does not need special rights. Also users with "Contributer" role can be abused.

tags | exploit, arbitrary, file upload
SHA-256 | 3b83080229ddf1398d4c0e14805e19037ba1387ba609af42952912ac8e1c07bb
Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload
Posted Jul 6, 2014
Authored by Christian Mehlmauer, Marc-Alexandre Montpas | Site metasploit.com

The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8 is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme functionality to upload a zip file containing the payload. The plugin used the admin_init hook, which is also executed for unauthenticated users when accessing a specific URL. The developers tried to fix the vulnerability in version 2.6.7 but the fix can be bypassed. In PHPs default configuration, a POST variable overwrites a GET variable in the $_REQUEST array. The plugin uses $_REQUEST to check for access rights. By setting the POST parameter to something not beginning with 'wysija_', the check is bypassed. Wordpress uses the $_GET array to determine the page and is so not affected by this.

tags | exploit, php, file upload
SHA-256 | ce2cffe8515677c0d219f665bad07fe8ecea2cce4c18e01fcea51556c3c8c876
Page 1 of 1

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By