WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation

2019.03.06
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

#################################################################### # Exploit Title : WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 06/03/2019 # Vendor Homepage : wordpress.org ~ nlh.gr # Software Information Link : wordpress.org/themes/nlh_omp-v1/ # Software Affected Version : 1.0 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos #################################################################### # Impact : *********** WordPress nlh_omp-v1 Themes 1.0 is prone to an arbitrary file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. #################################################################### # Exploit : ********* /wp-content/themes/nlh_omp-v1/inc/moments_form.php # Directory File Path : ******************** /wp-content/uploads/[YEAR]/[MONTH/..... #################################################################### # Vulnerable Source Code : ************************* <!doctype html> <html> <head> <meta charset="utf-8"> <title>Moments Upload form</title> <link href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900&subset=latin,greek' rel='stylesheet' type='text/css'> <link href='https://fonts.googleapis.com/css?family=Roboto+Slab:400,700,300,100&subset=latin,greek' rel='stylesheet' type='text/css'> <link href='https://nlh.gr/wp-content/themes/nlh_omp-v1/fontawesome/css/font-awesome.min.css' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/style.css" type="text/css"> <link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/responcive_style.css" type="text/css"> <script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/ui/jquery-ui.min.js"></script> </head> <body id="moments_body"> <form id="media_upload_form" enctype="multipart/form-data"> <div class="spinner" id="image_loader"><div class="bounce1"></div><div class="bounce2"></div><div class="bounce3"></div></div> <div id="image_placeholder"> <label for="user_file" class="btn_view">Select a photo</label> <input type="file" name="user_file" id="user_file"> <small>*You can upload jpg or png files with maximum file size 2MB.</small> </div> <span id="thx_mesage"><strong>Thank you very much!</strong> <br>Your image will be published soon.</span> <input type="hidden" id="image_id" name="image_id" value=""> <input type="email" id="photo_file_email" name="visitor_email" placeholder="Your email" required> <input type="text" id="photo_file_title" name="item_title" placeholder="Add Title" required> <textarea id="photo_file_desc" name="item_desc" placeholder="Add Description"></textarea> <span class="form_upload_btn" id="form_upload_btn" style="display: none;" onClick="add_gallery();">Save</span> </form> <script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/simpleUpload.min.js"></script> <script> jQuery(function(){ jQuery('#user_file').simpleUpload({ url: 'https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php', types: ['jpg', 'png','Jpg','Png','JPG','PNG'], size: 2072, fields: { type : 'user_file', }, beforeSend : function(files){ jQuery('#image_placeholder').empty(); jQuery('#image_loader').show(); }, change : function(files){ jQuery.each(files, function(i, file){ console.log(file); jQuery('#image_loader').show(); }); }, success : function(data){ console.log(data); var obj = jQuery.parseJSON(data); image_url = obj['url']; image_id = obj['image_id']; jQuery("#image_id").val(image_id); jQuery('#image_loader').hide(); jQuery('#form_upload_btn').show(); jQuery('#image_placeholder').html('<span><img src="'+image_url+'"/></span>'); } }); }); function add_gallery(){ post_title = jQuery("#photo_file_title").val(); visitor_email = jQuery("#photo_file_email").val(); post_content = jQuery("#photo_file_desc").val(); post_image_id = jQuery("#image_id").val(); jQuery.post("https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php",{ action : 'add_moment', post_title : post_title, visitor_email : visitor_email, post_content : post_content, post_image_id : post_image_id }).done(function(data) { console.log(data); if (data == 'OK'){ jQuery("#photo_file_email").remove(); jQuery("#photo_file_title").remove(); jQuery("#photo_file_desc").remove(); jQuery(".form_upload_btn").remove(); jQuery("#thx_mesage").show(); setInterval(function(){ parent.$.fancybox.close(); }, 5000); } } ); } </script> </body> </html> #################################################################### # Example Vulnerable Sites : ************************* [+] nlh.gr/wp-content/themes/nlh_omp-v1/inc/moments_form.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top