#################################################################################################
# Exploit Title : WordPress Share-Buttons Plugins 4.9.9 Remote Shell Upload
Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Date : 22/12/2018
# Vendor Homepage : wordpress.org ~ sbuttons.ru
# Software Download Link : atwebresults.com/php_ajax_image_upload/
+ wordpress.org/plugins/tags/share-buttons/
+
raw.githubusercontent.com/usaphp/plufit/master/wp-content/plugins/share-buttons/upload/index.php
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : V2.7 ~ V4.0 ~ V4.4.2 ~ V4.6.1 ~ V4.7.12 ~ V4.8.8 ~
V4.9.7 ~ V4.9.8 ~ V4.9.9
+ Apache 2.4.10 ~ Apache 2.4.33 ~ Apache 2.4.35 ~ PHP 5.6.38 ~ OpenSSL
0.9.8e ~ UNIX OS ~
+ jQuery 1.8.2 ~ Nginx 1.12.2 ~ Nginx 1.10.3
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/share-buttons/''
+ intext:''Sleeker More "Web 2.0" onChange Use''
/wp-content/plugins/share-buttons/
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]
+ CWE-434- [ Unrestricted Upload of File with Dangerous Type ]
#################################################################################################
# Admin Panel Login Path :
/wp-login.php
# Arbitrary File Upload/Remote Shell Upload Exploit :
/wp-content/plugins/share-buttons/upload/index.php
/wp-content/plugins/share-buttons/upload/scripts/ajaxupload.php
Error : Error(s) Found: File Size Empty,
# Directory File Path :
/wp-content/plugins/share-buttons/upload/uploads/[FILENAMEHERE]_[RANDOM-NUMBERS].png
# Note : .php;.gif ~ .asp;.png ~ .shtml.fla;.jpeg
#################################################################################################
Vulnerable File Code : /upload/index.php
************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<title>PHP AJAX Image Upload, Truly Web 2.0!</title>
<link href="css/styles.css" rel="stylesheet" type="text/css" media="all" />
<!-- MAKE SURE TO REFERENCE THIS FILE! -->
<script type="text/javascript" src="scripts/ajaxupload.js"></script>
<!-- END REQUIRED JS FILES -->
<!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
<style type="text/css">
iframe {
display:none;
}
</style>
<!-- THIS CSS MAKES THE IFRAME NOT JUMP -->
</head>
<body>
<div id="container">
<!-- THIS IS THE IMPORTANT STUFF! -->
<div id="demo_area">
<div id="left_col">
<!--
VERY IMPORTANT! Update the form elements below ajaxUpload fields:
1. form - the form to submit or the ID of a form (ex. this.form or
standard_use)
2. url_action - url to submit the form. like 'action' parameter of forms.
3. id_element - element that will receive return of upload.
4. html_show_loading - Text (or image) that will be show while loading
5. html_error_http - Text (or image) that will be show if HTTP error.
VARIABLE PASSED BY THE FORM:
maximum allowed file size in bytes:
maxSize = 9999999999
maximum image width in pixels:
maxW = 100
maximum image height in pixels:
maxH = 100
the full path to the image upload folder:
fullPath = http://www.atwebresults.com/php_ajax_image_upload/uploads/
the relative path from scripts/ajaxupload.php -> uploads/ folder
relPath = ../uploads/
The next 3 are for cunstom matte color of transparent images (gif,png), use
RGB value
colorR = 255
colorG = 255
colorB = 255
The form name of the file upload script
filename = filename
-->
<fieldset>
<legend>Sleeker More "Web 2.0" onChange Use</legend>
<form action="index.php" method="post" name="sleeker" id="sleeker"
enctype="multipart/form-data">
<input type="hidden" name="maxSize" value="9999999999" />
<input type="hidden" name="maxW" value="200" />
<input type="hidden" name="fullPath" value="
http://test-wordpress.kg/upload/uploads/" />
<input type="hidden" name="relPath" value="../uploads/" />
<input type="hidden" name="colorR" value="255" />
<input type="hidden" name="colorG" value="255" />
<input type="hidden" name="colorB" value="255" />
<input type="hidden" name="maxH" value="300" />
<input type="hidden" name="filename" value="filename" />
<p><input type="file" name="filename"
onchange="ajaxUpload(this.form,'scripts/ajaxupload.php?filename=name&maxSize=9999999999&maxW=200&fullPath=
http://test-wordprees.kg/upload/uploads/&relPath=../uploads/&colorR=255&colorG=255&colorB=255&maxH=300','upload_area','File
Uploading Please Wait...<br /><img
src=\'images/loader_light_blue.gif\' width=\'128\' height=\'15\'
border=\'0\' />','<img src=\'images/error.gif\' width=\'16\'
height=\'16\' border=\'0\' /> Error in Upload, check settings and path
info in source code.'); return false;" /></p>
</form>
</fieldset>
<br /><small style="font-weight: bold; font-style:italic;">Supported File
Types: gif, jpg, png</small>
</div>
<div id="right_col">
<?php
?>
<div id="upload_area"><img src="uploads/logo.png">
</div>
</div>
<div class="clear"> </div>
</div>
<!-- END IMPORTANT STUFF -->
</body>
</html>
#################################################################################################
# Example Vulnerable Sites =>
[+]
russia.starchildglobal.com/wp-content/plugins/share-buttons/upload/index.php
[+] viatec.md/wp-content/plugins/share-buttons/upload/index.php
[+] outfund.ru/wp-content/plugins/share-buttons/upload/index.php
[+] cnho.ru/wp-content/plugins/share-buttons/upload/index.php
[+] like-tv.tv/wp-content/plugins/share-buttons/upload/index.php
[+] eparhia-tmb.ru/wp-content/plugins/share-buttons/upload/index.php
[+] unost.org/wp-content/plugins/share-buttons/upload/index.php
[+] hww.ru/wp/wp-content/plugins/share-buttons/upload/index.php
[+] daode.com.ua/wp-content/plugins/share-buttons/upload/index.php
[+] udacha.pro/wp-content/plugins/share-buttons/upload/index.php
[+] brukioptom.com.ua/wp-content/plugins/share-buttons/upload/index.php
[+] poddelki.net/wp-content/plugins/share-buttons/upload/index.php
[+] spblago.ru/wp-content/plugins/share-buttons/upload/index.php
#################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
#################################################################################################