77 lines
No EOL
2.9 KiB
Text
77 lines
No EOL
2.9 KiB
Text
# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
|
|
# Date: 2016-06-23
|
|
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
|
|
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
|
|
# Vendor Homepage: http://www.EtoileWebDesign.com/
|
|
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
|
|
# Version: 3.8.6
|
|
# Tested on: windows 7 + Mozilla firefox.
|
|
# Demo: https://youtu.be/FSRZlD3SVQc
|
|
|
|
====================
|
|
DESCRIPTION
|
|
====================
|
|
|
|
An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
|
|
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote
|
|
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.
|
|
|
|
===================
|
|
STEPS TO REPRODUCE
|
|
===================
|
|
|
|
1.- Go to "Custom fields" tab and add a new custom field with "type" file.
|
|
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
|
|
3.- Select your php shell and save the product.
|
|
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.
|
|
|
|
================
|
|
Vulnerable code
|
|
================
|
|
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.
|
|
|
|
function UPCP_Handle_File_Upload($Field_Name) {
|
|
..
|
|
if (!is_user_logged_in()) {exit();}
|
|
/* Make sure that the file exists */
|
|
elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
|
|
$error = __('No file was uploaded here..', 'UPCP');
|
|
}
|
|
/* Move the file and store the URL to pass it onwards*/
|
|
else {
|
|
$msg .= $_FILES[$Field_Name]['name'];
|
|
//for security reason, we force to remove all uploaded file
|
|
$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
|
|
//create the uploads directory if it doesn't exist
|
|
if (!file_exists($target_path)) {
|
|
mkdir($target_path, 0777, true);
|
|
}
|
|
$target_path = $target_path . basename( $_FILES[$Field_Name]['name']);
|
|
if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
|
|
//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
|
|
$error .= "There was an error uploading the file, please try again!";
|
|
}
|
|
...
|
|
}
|
|
|
|
?>
|
|
|
|
==========
|
|
CREDITS
|
|
==========
|
|
|
|
Vulnerability discovered by:
|
|
Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
|
|
joaquin.ramirez.mtz.lab[at]gmail[dot]com
|
|
https://www.facebook.com/I0-security-lab-524954460988147/
|
|
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
|
|
|
|
|
|
==========
|
|
time-line
|
|
==========
|
|
|
|
2015-08-08: vulnerability found
|
|
2016-06-21: Reported to vendor (No response)
|
|
2016-06-24: Public disclousure
|
|
=================================== |