# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE) # Date: 2016-06-23 # Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Vendor Homepage: http://www.EtoileWebDesign.com/ # plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/ # Version: 3.8.6 # Tested on: windows 7 + Mozilla firefox. # Demo: https://youtu.be/FSRZlD3SVQc ==================== DESCRIPTION ==================== An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below. The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin. =================== STEPS TO REPRODUCE =================== 1.- Go to "Custom fields" tab and add a new custom field with "type" file. 2.- Go to "Products" tab, Now you can see a new field with that you added previously. 3.- Select your php shell and save the product. 4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy. ================ Vulnerable code ================ located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions. function UPCP_Handle_File_Upload($Field_Name) { .. if (!is_user_logged_in()) {exit();} /* Make sure that the file exists */ elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') { $error = __('No file was uploaded here..', 'UPCP'); } /* Move the file and store the URL to pass it onwards*/ else { $msg .= $_FILES[$Field_Name]['name']; //for security reason, we force to remove all uploaded file $target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/'; //create the uploads directory if it doesn't exist if (!file_exists($target_path)) { mkdir($target_path, 0777, true); } $target_path = $target_path . basename( $_FILES[$Field_Name]['name']); if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) { //if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) { $error .= "There was an error uploading the file, please try again!"; } ... } ?> ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ========== time-line ========== 2015-08-08: vulnerability found 2016-06-21: Reported to vendor (No response) 2016-06-24: Public disclousure ===================================