###########################

# Wordpress Levo-Slideshow 2.3 Shell Upload Vulnerability

###########################

#Exploit Name: Wordpress Levo-Slideshow 2.3 Shell Upload by Unprivileged user
#Exploit Date: 5/6/2016
#Author: Aaditya Purani
#Author Blog: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-levoslideshow
#Version: 2.3
#Tested on: Wordpress 4.5.2

Hi This is Aaditya Purani, Let's have look at 0-day Exploit

Plugin Description:

WP- Levoslideshow is a wordpress Plugin is a plugin where users can display slideshow multiple instance in their post which different categories & Images.

PoC ( Proof Of Concept ):

1) Login as an unprivileged user, who was no privilege of even uploading a plugin

2) Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage

3) If any Gallery exists than don't create and go to "Category Management", Click on "Add New", Upload any .png / ,jpg image from your PC and intercept the request

4) After Intercepting the request while upload, Send request to Repeater . And change filename = image.png.php and in $POST image data add your PHP Backdoor between image chunk . It should look like this

http://postimg.org/image/ih4lwyad7/

5) Forward the request and go to site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell] to access your shell.

That's it.
Follow: https://twitter.com/aaditya_purani
Website: https://aaditya.com

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-06-20]

###########################