WordPress WP-DownloadManager Plugin 1.68.1 arbitrary file upload vulnerability

2016-07-13T00:00:00
ID SSV:92097
Type seebug
Reporter
Modified 2016-07-13T00:00:00

Description

Vulnerability file: download-add.php Vulnerability code:

if( ! empty( $_POST['do'] ) ) {

check_admin_referer('wp-downloadmanager_add-file');

// Decide What To Do
switch( $_POST['do'] ) {
// Add File
case __('Add File', 'wp-downloadmanager'):

$file_type = ! empty( $_POST['file_type']) ? intval( $_POST['file_type'] ) : 0;
switch($file_type) {
case 0:
 $file = ! empty( $_POST['file'] ) ? addslashes( wp_kses_post( trim( $_POST['file'] ) ) ) : ";
 $file = download_rename_file($file_path, $file);
 $file_size = filesize($file_path.$ file);
break;
case 1:

 if($_FILES['file_upload']['size'] > get_max_upload_size()) {
 $text = '<p style="color: red;">'. sprintf(__('File Size Too Large. Maximum Size Is %s', 'wp-downloadmanager'), format_filesize(get_max_upload_size())).'</ p>';
break;
 } else 
{

 if(is_uploaded_file($_FILES['file_upload']['tmp_name'])) 
{
 $file_upload_to = ! empty( $_POST['file_upload_to'] ) ? $_POST['file_upload_to'] : ";
 if( $file_upload_to !== '/' ) {
 $file_upload_to = $file_upload_to . '/';
}

 if(move_uploaded_file($_FILES['file_upload']['tmp_name'], $file_path.$ file_upload_to. basename($_FILES['file_upload']['name'])))


 $file = $file_upload_to. basename($_FILES['file_upload']['name']);
 $file = download_rename_file($file_path, $file);
 $file_size = filesize($file_path.$ file);
 } else {
 $text = '<p style="color: red;">'.__ ('Error In Uploading File', 'wp-downloadmanager').'</ p>';
break;
}
} else 
{

$text = '<p style="color: red;">'.__ ('Error In Uploading File', 'wp-downloadmanager').'</ p>';
break;
}
}
break;

You can see here is not for us to upload the file to be checked, there is no randomly named file name, and file name suffix is that we can control, so we can upload arbitrary files.

Manual trigger way:

To enter: /wp-admin/admin.php?page=wp-downloadmanager/download-add.php, select the uploadfile option

Upload shell.php,after access to /wp-content/files/shell.php to it.