#############################################################################################
#                                                                                           #
# Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability                                              #
#                                                                                           #
# Author        : Nafsh                                          #
#                                                                                           #
# Discovered By : Tapco Security & Research Lab                                                                     #
#                                                                                           #
# Home          : sec-lab.ir                                                                #
#                                                                                           #
# Contact       : research [at] sec-lab [dot] ir                                            #
#                                                                                           #
# Date          : 4/8/2012 - 13:33                                                         #
#                                                                                           #
# Source        : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php                                                #
#                                                                                           #
#  DorK         : 

intext:"Invalid referer" inurl:"upload.php"                                     #
#                                                                                           #
#############################################################################################
# POC: In Previous Version You Can Upload Your Shell With Image MimeType
But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin
# Source :
        <?php
        // Check referer
        wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form')
            || write_js ("alert ('Invalid Referer')")
            || die ('Invalid referer');

        // Get needed info
        $target_dir = ecu_upload_dir_path ();
        $target_url = ecu_upload_dir_url ();
        $images_only = get_option ('ecu_images_only');
        $max_file_size = get_option ('ecu_max_file_size');

        if (!file_exists ($target_dir))
            mkdir ($target_dir);

        $target_path = find_unique_target ($target_dir
            . basename($_FILES['file']['name']));
        $target_name = basename ($target_path);

        // Debugging message example
//      write_js ("alert ('$target_url')");

        // Default values
        $filecode = "";
        $filelink = "";

        // Detect whether the uploaded file is an image
        $is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']);
        $type = ($is_image) ? "img" : "file";

        if (!$is_image && $images_only) {
            $alert = "Sorry, you can only upload images.";
        } else if (filetype_blacklisted() && !filetype_whitelisted()) {
            $alert = "You are attempting to upload a file with a disallowed/unsafe filetype!";
#                                                                                           #
#                                                                                           #
#  http://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php                                                     #
#  http://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php
#                                                                                           #
#############################################################################################
#                                                                                           #
#  Dem0 :                                                                                   #
#                                                                                           #
# http://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php   
#                                                                                           #
# http://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
#                                                                                           #
# http://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php
#############################################################################################
#                                                                                           #
#                       We are : K0242 | Nafsh | Ehram.shahmohamadi                         #
#                                                                                           #
#                             Greetz : All sec-lab researchers                              #
#                                                                                           #
#############################################################################################