# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#
1 - Description
- Type user access: any user registered used in BuddyPress.
- $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
- $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
2. Proof of Concept
Login as regular user.
1- Log in with BuddyPress User
2 - Access Edit Profile:
http://target/members/admin/profile/edit/
3 - Register data with image:
<http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
<http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>
#--
#*Atenciosamente*
#
#*Lenon Leite*