2020-07-29

Arbitrary file upload vulnerability in Wordpress wpDiscuz plugin


Today i was going through Twitter and in one of the Tweet, I got to know about the vulnerability in "Wordpress wpDiscuz plugin". This vulnerability is discovered by Wordfence Team
 
Vulnerability is simple and can be exploited if user has permission to upload image as attachment.
Plugin is just checking for file "Magic Number" and not performing any check for file extension.

Here an attacker can take advantage to perform "Remote Code Execution" by following below mentioned steps:

Step 1: Rename image file to .php extension file
 
Step 2: open renamed file in text editor, append PHP code in the end of the file and save it.



Step 3: Go to website comment section and click to comment in comment box.


Step 4: Web application comment box will have option for image file attachment. Click the icon to browse the file which we modified in step 2.


Step 5: Fill the form with relevant information and post the comment.


Step 6: Web application will show the uploaded attached image file. Copy the image file URL.


 Step 7: In copied URL, remove the "-" symbol and image file dimension (it will be in the end) before .php extension.







 Step 8: Browse the URL and we have access to web shell.


Thanks for reading.

--==[[ With Love from Team IndiShell ]]==--
                             
 --==[[ Greetz To ]]==--
############################################################################################
#zero cool, code breaker ica, root_devil, google_warrior, INX_r0ot, Darkwolf indishell, Baba
#Silent poison India, Magnum sniper, ethicalnoob Indishell, Reborn India, L0rd Crus4d3r, cool toad
#Hackuin,Alicks,mike waals, Dinelson Amine, cyber gladiator, Cyber Ace, Golden boy INDIA
#Ketan Singh, AR AR, saad abbasi, Minhal Mehdi, Raj bhai ji, Hacking queen, lovetherisk, Bikash Dash, D3
#############################################################################################
                             --==[[Love to]]==--
# My Father ,my Ex Teacher, cold fire hacker, Mannu, ViKi,Ashu bhai ji, Soldier Of God, Bhuppi, Anurag, Cyber Warrior, Vivek Sir
#Mohit, Ffe, Ashish, Shardhanand, Budhaoo,Incredible, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)



Share this post

1 comments

:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top