#################################################################### # Exploit Title : WordPress ii-commerce Themes Unauthorized File Insertation # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 06/03/2019 # Vendor Homepage : wordpress.org # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Impact : *********** WordPress ii-commerce Themes is prone to an arbitrary file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. #################################################################### # Arbitrary File Upload Exploit : *************************** /wp-content/themes/ii-commerce/js/node_modules/ng-file-upload/demo/war/ #################################################################### # Vulnerable Source Code : ************************ <!doctype html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <link type="text/css" rel="stylesheet" href="common.css"> <title>Angular file upload sample</title> FileAPI = { debug: true, //forceLoad: true, html5: false //to debug flash in HTML5 browsers //wrapInsideDiv: true, //experimental for fixing css issues //only one of jsPath or jsUrl. //jsPath: '/js/FileAPI.min.js/folder/', //jsUrl: 'yourcdn.com/js/FileAPI.min.js', //only one of staticPath or flashUrl. //staticPath: '/flash/FileAPI.flash.swf/folder/' //flashUrl: 'yourcdn.com/js/FileAPI.flash.swf' }; </script> <!-- <script src="//code.jquery.com/jquery-1.9.0.min.js"></script> --> <script type="text/javascript"> // load angularjs specific version var angularVersion = window.location.hash.substring(1); if (angularVersion.indexOf('/') == 0) angularVersion = angularVersion.substring(1); document.write('<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/angularjs/' + (angularVersion || '1.2.20') + '/angular.js"><\/script>'); </script> <script src="js/ng-file-upload-shim.js"></script> <script src="js/ng-file-upload.js"></script> <script src="js/upload.js"></script> <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.css"> <script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/codemirror.min.js"></script> <script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/mode/htmlmixed/htmlmixed.min.js"></script> <script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/mode/htmlembedded/htmlembedded.min.js"></script> <script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/mode/xml/xml.min.js"></script> <script src="//cdnjs.cloudflare.com/ajax/libs/codemirror/4.8.0/mode/javascript/javascript.min.js"></script> </head> <body ng-app="fileUpload" ng-controller="MyCtrl"> <div class="ng-v"> Angular Version: <input type="text" ng-model="angularVersion"> <input type="button" data-ng-click="changeAngularVersion()" value="Go"> </div> <h1>Angular file upload Demo</h1> <h3> Visit <a href="https://github.com/danialfarid/ng-file-upload">ng-file-upload</a> on github </h3> <div class="upload-div"> <div class="edit-div"> <a ng-click="showEdit = !showEdit" href="javascript:void(0)">+ edit upload html</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a ng-show="showEdit" ng-click="confirm() && (editHtml = defaultHtml)" href="javascript:void(0)">reset to default</a><br/><br/> <div ng-show="showEdit" id="htmlEdit"></div> </div> <div class="upload-buttons"> <div id="editArea"> <div style="float:left; margin-right: 10px;"> <form name="myForm"> <fieldset><legend>Upload on form submit</legend> Username: <input type="text" name="userName" ng-model="username" size="39" required> <i ng-show="myForm.userName.$error.required">*required</i><br> Profile Picture: <input type="file" ngf-select ng-model="picFile" name="file" accept="image/*" required> <i ng-show="myForm.file.$error.required">*required</i> <br/> <button ng-disabled="!myForm.$valid" ng-click="uploadPic(picFile)">Submit</button> <img ng-show="picFile[0] != null" ngf-src="picFile[0]" class="thumb"> <span class="progress" ng-show="picFile[0].progress >= 0"> <div style="width:{{picFile[0].progress}}%" ng-bind="picFile[0].progress + '%'"></div> </span> <span ng-show="picFile[0].result">Upload Successful</span> </fieldset> <br/> </form> <fieldset><legend>Upload right away</legend> <div class="up-buttons"> <div ngf-select ng-model="files" class="upload-button" ngf-multiple="false" ngf-accept="'*.pdf,*.jpg,*.png'" ng-model-rejected="rejFiles" tabindex="0">Attach an Image or PDF</div><br/> <button ngf-select ng-model="files" ngf-multiple="true">Attach Any File</button> </div> <div ngf-drop ngf-select ng-model="files" ng-model-rejected="rejFiles" ngf-drag-over-class="{accept:'dragover', reject:'dragover-err', delay:100}" class="drop-box" ngf-multiple="true" ngf-allow-dir="true" ngf-accept="'image/*,application/pdf'" ngf-drop-available="dropAvailable"> <div ng-hide="dropAvailable">File Drop not available</div> <div ng-show="dropAvailable">Drop Images or PDFs</div> <div>click to select</div> </div> </fieldset> </div> <fieldset><legend>Play with attributes</legend> <label>ngf-accept (accept/reject file model): <input type="text" ng-model="accept"></label><br/> <label>accept (for select browser dependent): <input type="text" ng-model="acceptSelect"></label><br/> <label>ngf-capture (for mobile): <input type="text" ng-model="capture"></label><br/> <label>ngf-min-size: <input type="text" ng-model="minSize"></label><br/> <label>ngf-max-size: <input type="text" ng-model="maxSize"></label><br/> <label><input type="checkbox" ng-model="multiple" >ngf-multiple (allow multiple files)</label><br/> <label><input type="checkbox" ng-model="disabled">ng-disabled</label><br/> <label><input type="checkbox" ng-model="allowDir">ngf-allow-dir (allow directory drop Chrome only)</label><br/> <div class="up-buttons"> <div ngf-select ngf-drop ng-model="files" ng-model-rejected="rejFiles" ngf-multiple="multiple" ngf-accept="accept" accept="{{acceptSelect}}" ngf-disabled="disabled" ngf-capture="capture" ngf-drag-over-class="{accept:'dragover', reject:'dragover-err', delay:100}" ngf-min-size="minSize" ngf-max-size="maxSize" ngf-allow-dir="allowDir" class="drop-box" ngf-drop-available="dropAvailable">Select File <span ng-show="dropAvailable">or Drop</span></div><br/> </div> <div class="preview"> <div>Preview image/audio/video:</div> <img style="max-width:300px" ngf-src="files[0]" ng-show="files[0].type.indexOf('image') > -1" ngf-accept="'image/*'"> <audio controls ngf-src="files[0]" ng-show="files[0].type.indexOf('audio') > -1" ngf-accept="'audio/*'"></audio> <video controls ngf-src="files[0]" ng-show="files[0].type.indexOf('video') > -1" ngf-accept="'video/*'"></video> </div> </fieldset> <br/> </div> </div> <ul style="clear:both" ng-show="rejFiles.length > 0" class="response"> <li class="sel-file" ng-repeat="f in rejFiles"> Rejected file: {{f.name}} - size: {{f.size}}B - type: {{f.type}} </li> </ul> <ul style="clear:both" ng-show="files.length > 0" class="response"> <li class="sel-file" ng-repeat="f in files"> <img ng-show="f.type.indexOf('image') > -1" ngf-src="f" class="thumb" ngf-accept="'image/*'"> <span class="progress" ng-show="f.progress >= 0"> <div style="width:{{f.progress}}%">{{f.progress}}%</div> </span> <button class="button" ng-click="f.upload.abort();f.upload.aborted=true" ng-show="f.upload != null && f.progress < 100 && !f.upload.aborted">Abort</button> {{f.name}} - size: {{f.size}}B - type: {{f.type}} <a ng-show="f.result" href="javascript:void(0)" ng-click="f.showDetail = !f.showDetail">details</a> <div ng-show="f.showDetail"> <br/> <div data-ng-show="f.result.result == null">{{f.result}}</div> <ul> <li ng-repeat="item in f.result.result"> <div data-ng-show="item.name">file name: {{item.name}}</div> <div data-ng-show="item.fieldName">name: {{item.fieldName}}</div> <div data-ng-show="item.size">size on the serve: {{item.size}}</div> <div data-ng-show="item.value">value: {{item.value}}</div> </li> </ul> <div data-ng-show="f.result.requestHeaders" class="reqh">request headers: {{f.result.requestHeaders}}</div> </div> </li> </ul> <br/> <div style="clear:both" class="err" ng-show="errorMsg != null">{{errorMsg}}</div> </div> <div style="clear:both" class="server"> <div class="srv-title">How to upload to the server:</div> <div class="howto"> <label><input type="radio" name="howToSend" ng-model="howToSend" value="1" ng-init="howToSend = 1">$upload.upload(): multipart/form-data upload cross browser</label> <br/> <label><input type="radio" name="howToSend" ng-model="howToSend" value="2" ng-disabled="!fileReaderSupported || usingFlash">$upload.http(): binary content with file's Content-Type</label> <div class="sub">Can be used to upload files directory into<a href="https://github.com/danialfarid/angular-file-upload/issues/88">CouchDB</a>, <a href="https://github.com/danialfarid/angular-file-upload/issues/87">imgur</a>, etc... without multipart form data (HTML5 FileReader browsers only)<br/> </div> <label><input type="radio" name="howToSend" ng-model="howToSend" value="3">Amazon S3 bucket upload</label> <form ng-show="howToSend==3" class="s3" id="s3form" action="http://localhost:8888" onsubmit="return false"> <br/> Provide S3 upload parameters. <a href="http://aws.amazon.com/articles/1434/" target="_blank">Click here for detailed documentation</a><br/></br> <label>S3 upload url including bucket name:</label> <input type="text" ng-model="s3url"> <br/> <label>AWSAccessKeyId:</label> <input type="Text" name="AWSAccessKeyId" ng-model="AWSAccessKeyId"> <br/> <label>acl (private or public):</label> <input type="text" ng-model="acl" value="private"><br/> <label>success_action_redirect:</label> <input type="text" ng-model="success_action_redirect"><br/> <label>policy:</label> <input type="text" ng-model="policy"><br/> <label>signature:</label> <input type="text" ng-model="signature"><br/> <br/> <button ng-click="showHelper=!showHelper">S3 Policy signing helper (Optional)</button><br/><br/> <div class="helper" ng-show="showHelper"> If you don't have your policy and signature you can use this tool to generate them by providing these two fields and clicking on sign<br/> <label>AWS Secret Key:</label> <input type="text" ng-model="AWSSecretKey"><br/> <label>JSON policy:</label><br/> <textarea type="text" ng-model="jsonPolicy" rows=10 cols=70></textarea> <button ng-click="generateSignature()">Sign</button> </div> </form> <br/> <br/> <div ng-show="howToSend != 3"> <input type="checkbox" ng-model="generateErrorOnServer">Return server error with http code: <input type="text" ng-model="serverErrorCode" size="5"> and message: <input type="text" ng-model="serverErrorMsg"> <br/> </div> <br/> </div> </div> <a style="position:fixed;bottom:28px;right:10px;font-size:smaller;" target="_blank" href="https://angular-file-upload.appspot.com/donate.html">donate</a> <a style="position:fixed;bottom:45px;right:10px;font-size:smaller;" href="https://github.com/danialfarid/angular-file-upload/issues/new">Feedback/Issues</a> <div style="position:fixed;bottom:10px;right:10px;font-size:smaller;color:#777">Last update: 2015-04-23</div> </body> </html> #################################################################### # Example Vulnerable Sites : ************************* [+] issuemagazine.com/wp-content/themes/ii-commerce/js/node_modules/ng-file-upload/demo/war/ [+] jwdikkers.com/wp-content/themes/ii-commerce/js/node_modules/ng-file-upload/demo/war/ #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################