WordPress Easy Comment Uploads third party module suffers from a remote shell upload vulnerability as the mime-type check seems to be bypass if the referer is set to wp-admin.
9efe43d2e8ae321eaef6bc9719ae5553fea4ac505a6f3138e113e43605e81d3f
#############################################################################################
# #
# Exploit Title : Wordpress Easy Comment Uploads Shell Upload Vulnerability #
# #
# Author : Nafsh #
# #
# Discovered By : Tapco Security & Research Lab #
# #
# Home : sec-lab.ir #
# #
# Contact : research [at] sec-lab [dot] ir #
# #
# Date : 4/8/2012 - 13:33 #
# #
# Source : plugins.svn.wordpress.org/easy-comment-uploads/tags/0.60/upload.php #
# #
# DorK :
intext:"Invalid referer" inurl:"upload.php" #
# #
#############################################################################################
# POC: In Previous Version You Can Upload Your Shell With Image MimeType
But In New Version You Should Bypass Uploader With Http Refrer Phishing And Change Refrer To /wp-admin
# Source :
<?php
// Check referer
wp_verify_nonce ($_REQUEST ['_wpnonce'], 'ecu_upload_form')
|| write_js ("alert ('Invalid Referer')")
|| die ('Invalid referer');
// Get needed info
$target_dir = ecu_upload_dir_path ();
$target_url = ecu_upload_dir_url ();
$images_only = get_option ('ecu_images_only');
$max_file_size = get_option ('ecu_max_file_size');
if (!file_exists ($target_dir))
mkdir ($target_dir);
$target_path = find_unique_target ($target_dir
. basename($_FILES['file']['name']));
$target_name = basename ($target_path);
// Debugging message example
// write_js ("alert ('$target_url')");
// Default values
$filecode = "";
$filelink = "";
// Detect whether the uploaded file is an image
$is_image = preg_match ('/(jpeg|png|gif)/i', $_FILES['file']['type']);
$type = ($is_image) ? "img" : "file";
if (!$is_image && $images_only) {
$alert = "Sorry, you can only upload images.";
} else if (filetype_blacklisted() && !filetype_whitelisted()) {
$alert = "You are attempting to upload a file with a disallowed/unsafe filetype!";
# #
# #
# https://[TARGET]/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php #
# https://[TARGET]/wp-content/plugins/easy-comment-uploads/upload.php
# #
#############################################################################################
# #
# Dem0 : #
# #
# https://www.bulliesofnc.com/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
# #
# https://taymourschool.com/wp/wp-content/plugins/wp-vipergb/easy-comment-uploads/upload.php
# #
# https://equator-indonesia.com/wp-content/plugins/easy-comment-uploads/upload.php
#############################################################################################
# #
# We are : K0242 | Nafsh | Ehram.shahmohamadi #
# #
# Greetz : All sec-lab researchers #
# #
#############################################################################################